sartorial

Hi Folks, Happy Thanksgiving. I'm unfortunately trying to debug my parents' computer that has a few symptoms: 1) All browsers are issuing redirects for queries 2) All browsers also have new tabs created on the fly that forward me to a "Walmart" survey etc. 3) Periodically the Install Flash Player dialog box pops up but it automates the download, so it shows up and then shows it downloading content without my prompt or agreement. (I believe I've seen this before in a variant of ZeroAccessInf trojan.) Without WiFi connected, the computer is running A LOT faster so it alludes to some malware running in the background. The computer is running Windows XP Home and currently has no active Norton Antivirus (subscription expired). I have not run any other tools besides DDS. ================================= DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2 Run by Manoo at 19:25:47 on 2012-11-23 #Option MBR scan is disabled. Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.117 [GMT -5:00] . . ============== Running Processes ================ . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Java\jre7\bin\jqs.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Norton 360\Engine\3.8.3.6\ccSvcHst.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\McAfee Security Scan\3.0.285\SSScheduler.exe C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe C:\WINDOWS\system32\RAMASST.exe C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Norton 360\Engine\3.8.3.6\ccSvcHst.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\svchost.exe -k HTTPFilter . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uSearch Bar = hxxp://www.google.com/ie uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uProxyServer = hxxp=127.0.0.1:8893 uProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\3.8.3.6\CoIEPlg.dll BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\3.8.3.6\IPSBHO.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll BHO: Browser Helper Object: {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\3.8.3.6\CoIEPlg.dll TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\3.8.3.6\CoIEPlg.dll TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe" mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe mRun: [NDSTray.exe] NDSTray.exe mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [TFncKy] TFncKy.exe mRun: [TPSMain] TPSMain.exe mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run mRun: [CFSServ.exe] CFSServ.exe -NoClient mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\docume~1\manoo\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE StartupFolder: c:\docume~1\manoo\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.285\SSScheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\metama~1.lnk - c:\program files\metamail inc\metamail tray\Metamail Trust Manager.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:145 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: mswsock.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxp://oakrpacs.oakhealth.net/iSite3_3.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1345416512757 DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.oakwoodhealthcare.net/dana-cached/setup/JuniperSetupSP1.cab DPF: {F80B9305-A013-11D2-BD23-00A024978908} - file:///D:/viewer/accuradimage.cab TCP: NameServer = 75.75.75.75 75.75.76.76 TCP: Interfaces\{251A3DD5-090E-43A1-906E-E021C1B6D712} : DHCPNameServer = 75.75.75.75 75.75.76.76 Filter: text/html - {7169208c-af64-4649-9a11-be3ec596a73d} - Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.3.6\CoIEPlg.dll Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 217.20.175.74 www.review.2009softwarereviews.com Hosts: 217.20.175.74 review.2009softwarereviews.com Hosts: 217.20.175.74 a1.review.zdnet.com Hosts: 217.20.175.74 www.d1.reviews.cnet.com Hosts: 217.20.175.74 www.reviews.toptenreviews.com . Note: multiple HOSTS entries found. Please refer to Attach.txt . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\manoo\application data\mozilla\firefox\profiles\6z9ami52.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll FF - plugin: c:\windows\system32\npDeployJava1.dll FF - plugin: c:\windows\system32\npptools.dll FF - ExtSQL: 2012-11-16 22:26; {8545daff-ad1e-493f-a37e-eed1ac79682b}; c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\IPSFFPlgn FF - ExtSQL: !HIDDEN! 2009-09-03 13:39; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension . ============= SERVICES / DRIVERS =============== . R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308030.006\SymEFA.sys [2012-8-19 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308030.006\BHDrvx86.sys [2012-8-19 259632] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308030.006\cchpx86.sys [2012-8-19 467592] R1 NEOFLTR_600_14137;Juniper Networks TDI Filter Driver (NEOFLTR_600_14137);c:\windows\system32\drivers\NEOFLTR_600_14137.sys [2009-4-1 64160] R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.3.6\ccSvcHst.exe [2012-8-19 117648] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448] S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20110107.002\IDSXpx86.sys [2011-1-7 341944] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.285\McCHSvc.exe [2012-9-5 234776] S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110108.002\NAVENG.SYS [2011-1-8 86008] S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110108.002\NAVEX15.SYS [2011-1-8 1360760] . =============== File Associations =============== . ShellExec: ymp.exe: open="c:\program files\yahoo!\yahoo! music engine\YahooMusicEngine.exe" -play "%1" ShellExec: ymp.exe: play="c:\program files\yahoo!\yahoo! music engine\YahooMusicEngine.exe" -play "%1" . =============== Created Last 30 ================ . 2012-11-20 14:32:18 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan 2012-11-20 14:31:59 -------- d-----w- c:\program files\McAfee Security Scan . ==================== Find3M ==================== . 2012-11-20 17:47:01 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-11-20 17:47:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-09-19 13:43:53 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2012-09-19 13:43:49 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-09-19 13:43:48 821736 ----a-w- c:\windows\system32\npDeployJava1.dll 2012-09-19 13:43:48 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec . ============= FINISH: 19:27:22.21 =============== dds.txtattach.txt