harv_c
1 Copper

Redirect virus removal - search result links

Have cleaned and scanned with numerous tools.  Redirects all links from search result pages no matter the browser or search provider.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:53:34 AM, on 7/23/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dishmail.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://admin.isp.netscape.com/session/limited_session.jsp?connection_id=21050439L&page=https%3A%2F%2...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9470 bytes

0 Kudos
4 Replies
dragoscarlan
1 Copper

Re: Redirect virus removal - search result links

use combofix, it worked for me. Sometimes it happens that after it finishes you will see a grey desktop, in that case you need to install Super antispyware and use the repair option to fix your desktop.  It is very powerfull and on very rare ocasions because of the infected file being deleted you won`t be able to boot into windows, so before you run it make sure that you back-up everything. Also I think that it would be a good idea to install RUBoted free.antivirus.com/rubotted. It wil scan your network for bot threats.

Dragos Carlan

dragos@dccomputerrepairs.co.uk

www.dccomputerrepairs.co.uk

0 Kudos
harv_c
1 Copper

Re: Redirect virus removal - search result links

ComboFix 11-07-23.04 - hcarter 07/23/2011  15:05:45.2.2 - x86

Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3070.2286 [GMT -5:00]

Running from: c:\documents and settings\hcarter\Desktop\Gotcha.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

.

(((((((((((((((((((((((((   Files Created from 2011-06-23 to 2011-07-23  )))))))))))))))))))))))))))))))

.

.

2011-07-23 20:05 . 2011-07-23 20:05 -------- d-----w- C:\32788R22FWJFW

2011-07-23 20:03 . 2011-07-23 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro

2011-07-23 20:01 . 2011-07-23 20:01 -------- d-----w- c:\program files\WinPcap

2011-07-23 14:51 . 2011-07-23 14:51 388096 ----a-r- c:\documents and settings\hcarter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-07-23 14:51 . 2011-07-23 20:01 -------- d-----w- c:\program files\Trend Micro

2011-07-23 14:50 . 2011-07-23 14:50 1402880 ----a-w- C:\HijackThis.msi

2011-07-22 20:00 . 2011-07-22 18:12 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-07-22 18:12 . 2011-07-22 18:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-22 17:41 . 2011-07-21 19:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-07-22 17:41 . 2011-07-22 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2011-07-22 17:41 . 2011-07-22 17:41 -------- d-----w- c:\program files\Lavasoft

2011-07-22 17:40 . 2011-07-22 17:41 10285056 ----a-w- C:\Ad-Aware90Install.msi

2011-07-22 16:46 . 2011-07-22 16:46 -------- d-----w- c:\documents and settings\scarter\Application Data\Sammsoft

2011-07-22 15:38 . 2011-07-22 15:38 -------- d-----w- c:\documents and settings\hcarter\Application Data\Sammsoft

2011-07-22 13:49 . 2011-07-22 13:50 3433016 ----a-w- C:\AROLicense2011.exe

2011-07-22 13:01 . 2011-07-22 13:01 -------- d-----w- c:\documents and settings\Karen Carter\Application Data\Sammsoft

2011-07-22 13:01 . 2011-07-22 13:51 -------- d-----w- c:\program files\ARO 2011

2011-07-22 12:59 . 2011-07-22 13:00 5883832 ----a-w- C:\ARO2011_tbt.exe

2011-07-16 15:52 . 2011-07-16 15:52 8016 ----a-w- C:\cc_20110716_105201.reg

2011-07-16 12:17 . 2011-07-16 12:18 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Temp

2011-07-16 12:17 . 2011-07-16 12:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2011-07-14 18:46 . 2011-04-26 11:07 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-08 16:46 . 2011-07-08 16:46 -------- d-----w- c:\documents and settings\hcarter\Application Data\PCDr

2011-07-08 16:10 . 2011-07-08 16:10 4936 ----a-w- C:\cc_20110708_111015.reg

2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\program files\iolo

2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\documents and settings\hcarter\Application Data\iolo

2011-07-08 12:31 . 2011-07-08 12:31 -------- d-----w- c:\documents and settings\Administrator

2011-07-08 04:28 . 2011-07-08 04:28 -------- d-----w- c:\documents and settings\Karen Carter\Application Data\Template

2011-07-08 01:44 . 2011-07-08 01:44 4928 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-07-08 01:22 . 2011-07-08 01:22 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\KodakGallery

2011-07-06 12:01 . 2011-07-06 12:01 -------- d-----w- c:\documents and settings\hcarter\Application Data\AskToolbar

2011-07-06 11:52 . 2011-07-06 11:52 -------- d-----w- c:\documents and settings\scarter\Application Data\AskToolbar

2011-07-06 11:47 . 2011-07-06 11:47 -------- d-----w- c:\program files\Ask.com

2011-07-06 05:25 . 2011-07-06 05:56 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Adobe

2011-07-05 17:50 . 2011-07-05 17:51 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Deployment

2011-06-29 02:32 . 2011-06-29 02:32 661334 ----a-w- C:\cc_20110628_213218.reg

2011-06-29 02:01 . 2011-06-29 02:01 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-03 19:27 . 2010-03-13 21:52 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-07-03 19:27 . 2010-03-13 21:52 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-18 12:42 . 2011-05-17 03:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-02 15:31 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-10 17:51 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2004-08-10 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 11:07 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-25 16:11 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec

.

.

(((((((((((((((((((((((((((((   SnapShot@2011-07-22_21.04.38   )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-10-20 18:19 . 2009-10-20 18:19 53299              c:\windows\system32\pthreadVC.dll

+ 2009-10-20 18:19 . 2009-10-20 18:19 50704              c:\windows\system32\drivers\npf.sys

+ 2009-10-20 18:19 . 2009-10-20 18:19 281104              c:\windows\system32\wpcap.dll

+ 2009-10-20 18:19 . 2009-10-20 18:19 100880              c:\windows\system32\Packet.dll

+ 2011-07-23 14:51 . 2011-07-23 14:51 1094656              c:\windows\Installer\2622a5.msi

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PMX Daemon"="ICO.EXE" [2006-11-08 49152]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]

"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]

"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-01 884696]

"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2011 12:41 PM 64512]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/13/2010 4:52 PM 136360]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/21/2011 2:59 PM 2151640]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/23/2011 3:01 PM 439632]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:17 PM 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:17 PM 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [7/21/2011 2:59 PM 15232]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - NPF

*NewlyCreated* - RUBOTSRV

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 19:59]

.

2011-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 21:17]

.

2011-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 21:17]

.

2011-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1006Core.job

- c:\documents and settings\hcarter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 23:14]

.

2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1006UA.job

- c:\documents and settings\hcarter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 23:14]

.

2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1009Core.job

- c:\documents and settings\Karen Carter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 17:51]

.

2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1009UA.job

- c:\documents and settings\Karen Carter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 17:51]

.

2011-07-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]

.

2011-07-23 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]

.

2011-07-23 c:\windows\Tasks\User_Feed_Synchronization-{708451AE-3678-44D7-B584-3903128EADBC}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

.

2011-07-23 c:\windows\Tasks\User_Feed_Synchronization-{D8C30020-2FC0-40C9-9C30-14A16152B783}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.dishmail.net

uInternet Connection Wizard,ShellNext = hxxp://admin.isp.netscape.com/session/limited_session.jsp?connection_id=21050439L&page=https%3A%2F%2Fmyaccount.isp.netscape.com%2Fmyaccount%2FLostPassword.do

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 192.168.2.1

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-23 15:09

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...  

.

scanning hidden autostart entries ...

.

scanning hidden files ...  

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2876)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-07-23  15:10:15

ComboFix-quarantined-files.txt  2011-07-23 20:10

ComboFix2.txt  2011-07-22 21:06

.

Pre-Run: 468,688,707,584 bytes free

Post-Run: 468,689,825,792 bytes free

.

- - End Of File - - AAFBED3207F0FDEF165EAF5B6C8CC2DB

Rubotted found nothing.... was not asked to reboot but will now and test search results.

0 Kudos
Highlighted
harv_c
1 Copper

Re: Redirect virus removal - search result links

This did not fix the problem, still being redirected, any browser, any search provider.  All addons are disabled and I am not directing to a proxy or dns name.

I will wait for your next direction.  I see in a previous post of the same issue where a script was copied into combofix and it fixed that guy.  From all other readings no other tool has removed this issue.

Thanks you for the help.  I have been through numerous malware tools.

0 Kudos
7 Gold

Re: Redirect virus removal - search result links

Welcome to Dell Community. emoticon.Smile.title

Although we appreciate his trying to help, please be aware that Dragos Carlan is not listed as a graduate of the malware removal schools that we contacted. It is understood by the trained analysts that once a helper replies to a log, he continues working with you on this forum until the issue is resolved.

harv_c, you have some choices:

1. You can, at risk, continue working with the person who has taken ownership of this thread.

2. You can repost your log at the top of the forum as a New Post, and wait for a trained analyst to reply.
A list is here: Please Read This Before Posting On The Malware Removal Forum

Thank you for your patience and understanding.


Windows Insider MVP 2016 - Present

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos