Jump to content

search engine redirect

Recommended Posts

My problem started with a System Restore Virus. After removing it, the search redirect began. I have used Malwarebytes then Hitman. It still came back and was also opening a second tab when IE was first opened.

Today I did a full scan with Malwarebytes and DDS download. IE opened fine but I am staying off it until I get a proffesional opinion if all is clean.

Thak you for your help, below are the logs

Malwarebytes' Anti-Malware


Database version: 6705

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/8/2011 11:46:29 AM

mbam-log-2011-06-08 (11-46-29).txt

Scan type: Full scan (C:\|)

Objects scanned: 255217

Time elapsed: 1 hour(s), 19 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{cca15f78-7193-4ca6-8115-2b570dd6546c}\RP1494\A0065605.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

c:\system volume information\_restore{cca15f78-7193-4ca6-8115-2b570dd6546c}\RP1494\A0065606.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.


DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by andre at 13:22:54 on 2011-06-08

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.120 [GMT -5:00]


AV: Norton AntiVirus 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *Enabled*


============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs



C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe



C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\RDS\srscandr.exe



C:\Program Files\RDS\ddsschednt.exe


C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE


C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe


============== Pseudo HJT Report ===============


uStart Page = hxxp://apawestgeorgia.net/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.dell4me.com/myway

mSearch Bar = hxxp://websearch.drsnsrch.com/sidesearch.cgi?id=

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: BolgerObj Class: {302a3240-4805-4a34-97d7-1645a0b08410} - c:\windows\Bolger.dll

BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton antivirus\NavShExt.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton antivirus\NavShExt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [NAV CfgWiz] "c:\program files\norton antivirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

mRun: [WinVNC] "c:\windows\winvnc.exe" -servicehelper

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\malware\malware\mbam.exe" /runcleanupscript

mRunServices: [AutoEx9x] autoex9x.bat

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startd~1.lnk - c:\program files\rds\DdsLaunch.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: dgitraining.com\www

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - hxxp://download.websearch.com/Dnl/T_50212/QDow_AS2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38178.4678935185

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/SymAData.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/gold/default/gf.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab

DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - hxxp://cabs.media-motor.net/cabs/alien.cab

DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/bin/msnchat45.cab

TCP: DhcpNameServer =

TCP: Interfaces\{051842BB-5694-4AB3-907C-492CB7974C78} : DhcpNameServer =

Notify: igfxcui - igfxdev.dll


============= SERVICES / DRIVERS ===============


R1 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2005-12-19 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2005-12-19 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2006-1-11 192104]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2006-1-11 169576]

R2 DdsSched;Dds Scheduler Deamon;c:\program files\rds\DdsSchedNT.exe [2004-7-19 36864]

R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2006-2-5 139888]

R2 RsiSvc;Ridoc Server Information Service;c:\program files\rds\RsiSvc.exe [2004-7-19 65536]

R2 ScanRouterDriverV2;ScanRouterDriverV2;c:\program files\rds\SrScanDr.exe [2004-7-19 178688]

R2 SOption;SOption;c:\program files\rds\SOption.exe [2004-7-19 98304]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-13 1251720]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-2-14 102712]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070219.056\NAVENG.Sys [2007-2-20 80472]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070219.056\NavEx15.Sys [2007-2-20 852600]

S2 AutoExNT;AutoExNT;c:\windows\system32\autoexnt.exe [2003-4-18 7168]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]

S2 SvcProc;System Startup Service ;c:\windows\svcproc.exe --> c:\windows\svcproc.exe [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-7 39984]

S3 SAVScan;Symantec AVScan;c:\program files\norton antivirus\SAVScan.exe [2005-12-19 198416]


=============== Created Last 30 ================


2011-06-08 16:49:17 54016 ----a-w- c:\windows\system32\drivers\rxhjmb.sys

2011-06-07 14:51:54 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-06-07 14:42:41 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-07 14:41:07 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-06-07 13:35:27 -------- d-----w- c:\documents and settings\andre\application data\Malwarebytes

2011-06-07 13:33:08 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-07 13:33:07 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-07 13:33:04 -------- d-----w- C:\Malware

2011-06-06 15:24:38 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-06-06 15:24:38 -------- d-----w- c:\windows\system32\wbem\Repository


==================== Find3M ====================



============= FINISH: 13:24:31.00 ===============

Link to post
Share on other sites

Thanks for assist, Attach below





DDS (Ver_2011-06-03.01)


Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 7/10/2004 12:27:30 PM

System Uptime: 6/8/2011 7:53:42 AM (6 hours ago)


Motherboard: Dell Computer Corp. | | 0F4491

Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/533mhz


==== Disk Partitions =========================


A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 22.922 GiB free.



==== Disabled Device Manager Items =============


==== System Restore Points ===================


RP1438: 3/9/2011 12:20:21 PM - System Checkpoint

RP1439: 3/9/2011 1:00:17 PM - Software Distribution Service 3.0

RP1440: 3/10/2011 1:11:14 PM - System Checkpoint

RP1441: 3/11/2011 3:11:14 PM - System Checkpoint

RP1442: 3/12/2011 5:11:14 PM - System Checkpoint

RP1443: 3/14/2011 9:26:27 AM - System Checkpoint

RP1444: 3/15/2011 11:15:23 AM - System Checkpoint

RP1445: 3/16/2011 12:49:57 PM - System Checkpoint

RP1446: 3/17/2011 2:49:58 PM - System Checkpoint

RP1447: 3/18/2011 4:49:57 PM - System Checkpoint

RP1448: 3/19/2011 5:01:39 PM - System Checkpoint

RP1449: 3/20/2011 7:01:57 PM - System Checkpoint

RP1450: 3/21/2011 8:50:03 PM - System Checkpoint

RP1451: 3/22/2011 10:50:03 PM - System Checkpoint

RP1452: 3/25/2011 11:09:06 AM - System Checkpoint

RP1453: 3/25/2011 1:00:16 PM - Software Distribution Service 3.0

RP1454: 3/28/2011 12:38:10 PM - System Checkpoint

RP1455: 3/29/2011 12:47:16 PM - System Checkpoint

RP1456: 3/30/2011 2:55:35 PM - System Checkpoint

RP1457: 2/20/2004 11:20:19 AM - System Checkpoint

RP1458: 4/1/2011 12:41:25 PM - System Checkpoint

RP1459: 4/4/2011 12:04:04 PM - System Checkpoint

RP1460: 4/5/2011 1:01:23 PM - System Checkpoint

RP1461: 4/6/2011 3:01:22 PM - System Checkpoint

RP1462: 4/11/2011 11:01:14 AM - System Checkpoint

RP1463: 4/12/2011 11:28:46 AM - System Checkpoint

RP1464: 4/13/2011 12:39:52 PM - System Checkpoint

RP1465: 4/14/2011 1:08:23 PM - System Checkpoint

RP1466: 4/18/2011 12:24:19 PM - System Checkpoint

RP1467: 4/18/2011 1:00:27 PM - Software Distribution Service 3.0

RP1468: 4/19/2011 1:17:32 PM - System Checkpoint

RP1469: 4/20/2011 2:34:00 PM - System Checkpoint

RP1470: 4/21/2011 2:55:53 PM - System Checkpoint

RP1471: 4/22/2011 4:34:00 PM - System Checkpoint

RP1472: 4/23/2011 6:34:00 PM - System Checkpoint

RP1473: 4/24/2011 8:34:00 PM - System Checkpoint

RP1474: 4/25/2011 8:34:07 PM - System Checkpoint

RP1475: 4/26/2011 10:47:37 PM - System Checkpoint

RP1476: 4/27/2011 1:00:17 PM - Software Distribution Service 3.0

RP1477: 2/19/2004 11:57:00 PM - System Checkpoint

RP1478: 5/2/2011 5:03:36 PM - System Checkpoint

RP1479: 5/3/2011 6:08:28 PM - System Checkpoint

RP1480: 5/4/2011 6:08:54 PM - System Checkpoint

RP1481: 5/5/2011 7:56:27 PM - System Checkpoint

RP1482: 5/6/2011 9:21:28 PM - System Checkpoint

RP1483: 5/7/2011 10:09:25 PM - System Checkpoint

RP1484: 5/9/2011 8:23:40 AM - System Checkpoint

RP1485: 5/10/2011 10:02:49 AM - System Checkpoint

RP1486: 5/11/2011 10:52:43 AM - System Checkpoint

RP1487: 5/12/2011 11:22:40 AM - System Checkpoint

RP1488: 5/12/2011 1:00:26 PM - Software Distribution Service 3.0

RP1489: 5/13/2011 2:18:26 PM - System Checkpoint

RP1490: 5/14/2011 4:02:01 PM - System Checkpoint

RP1491: 5/15/2011 4:15:31 PM - System Checkpoint

RP1492: 5/16/2011 6:15:34 PM - System Checkpoint

RP1493: 6/2/2011 11:04:18 AM - System Checkpoint

RP1494: 6/6/2011 10:19:47 AM - Restore Operation

RP1495: 6/6/2011 1:00:29 PM - Software Distribution Service 3.0

RP1496: 6/7/2011 7:41:16 AM - Restore Operation

RP1497: 6/8/2011 1:10:09 PM - System Checkpoint


==== Installed Programs ======================


Adobe Flash Player 10 ActiveX

Adobe Reader 7.0

Banctec Service Agreement


Dell Media Experience

Dell Networking Guide

Dell Solution Center

Dell Support


Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

Help and Support Customization

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Intel® Extreme Graphics 2 Driver

Intel® PRO Network Adapters and Drivers

Intel® PROSet

Internet Explorer Default Page

Internet Worm Protection

Jasc Paint Shop Photo Album

Jasc Paint Shop Pro 8 Dell Edition

Java 2 Runtime Environment, SE v1.4.2

Java Auto Updater

Java 6 Update 18

Learn2 Player (Uninstall Only)

LiveUpdate 3.0 (Symantec Corporation)

LiveUpdate Notice (Symantec Corporation)

Malwarebytes' Anti-Malware version

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft Data Access Components KB870669

Microsoft Encarta Encyclopedia Standard 2004

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2004

Microsoft Money 2004 System Pack

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Small Business

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)


Link to post
Share on other sites

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.


  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Link to post
Share on other sites

At your command, cool dog btw

ComboFix 11-06-09.01 - andre 06/09/2011 12:58:55.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.278 [GMT -5:00]

Running from: c:\documents and settings\andre\Desktop\ComboFix.exe

AV: Norton AntiVirus 2006 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



c:\documents and settings\Emily\Application Data\Sskknwrd.dll

c:\documents and settings\Emily\Application Data\Sskuknwrd.dll

c:\documents and settings\Emily\Local Settings\Temporary Internet Files\Ssk.log

c:\documents and settings\Emily\WINDOWS

c:\program files\Common Files\uninstall information

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf





Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))







((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))



2011-06-07 14:51 . 2011-06-07 14:51 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-06-07 14:42 . 2011-06-07 14:42 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-07 14:41 . 2011-06-07 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-06-07 13:35 . 2011-06-07 13:35 -------- d-----w- c:\documents and settings\andre\Application Data\Malwarebytes

2011-06-07 13:33 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-07 13:33 . 2011-06-07 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-07 13:33 . 2011-06-07 13:33 -------- d-----w- C:\Malware

2011-06-06 15:24 . 2011-06-06 15:24 -------- d-----w- c:\windows\system32\wbem\Repository




(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))




((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown




"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-19 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]



"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-22 77824]

"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]

"NAV CfgWiz"="c:\program files\Norton AntiVirus\CfgWiz.exe" [2006-02-02 120512]

"WinVNC"="c:\windows\winvnc.exe" [2003-09-29 622658]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]


c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Start Delivery Services.lnk - c:\program files\RDS\DdsLaunch.exe [2004-7-19 32768]


[HKEY_LOCAL_MACHINE\software\microsoft\security center]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]




"EnableFirewall"= 0 (0x0)




"c:\\Program Files\\RDS\\DdsAdmin.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=



"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


R2 DdsSched;Dds Scheduler Deamon;c:\program files\RDS\DdsSchedNT.exe [7/19/2004 12:14 PM 36864]

R2 RsiSvc;Ridoc Server Information Service;c:\program files\RDS\RsiSvc.exe [7/19/2004 12:15 PM 65536]

R2 ScanRouterDriverV2;ScanRouterDriverV2;c:\program files\RDS\SrScanDr.exe [7/19/2004 12:15 PM 178688]

R2 SOption;SOption;c:\program files\RDS\SOption.exe [7/19/2004 12:15 PM 98304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/14/2007 7:48 PM 102712]

S2 AutoExNT;AutoExNT;c:\windows\SYSTEM32\autoexnt.exe [4/18/2003 7:05 PM 7168]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 9:58 AM 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 9:58 AM 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [6/7/2011 8:33 AM 39984]


Contents of the 'Scheduled Tasks' folder


2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 14:58]


2011-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 14:58]


2004-07-10 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2004-03-19 00:12]


2011-05-23 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - andre.job

- c:\progra~1\NORTON~1\Navw32.exe [2006-02-05 18:13]



------- Supplementary Scan -------


uStart Page = hxxp://apawestgeorgia.net/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.dell4me.com/myway

mSearch Bar = hxxp://websearch.drsnsrch.com/sidesearch.cgi?id=

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

Trusted Zone: dgitraining.com\www

TCP: DhcpNameServer =

DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab





catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-09 13:14

Windows 5.1.2600 Service Pack 3 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully

hidden files: 0




--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'explorer.exe'(2640)





------------------------ Other Running Processes ------------------------


c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Norton AntiVirus\navapsvc.exe

c:\program files\Norton AntiVirus\IWP\NPFMntor.exe




c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

c:\program files\Symantec\LiveUpdate\AUpdate.exe


c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe

c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe




Completion time: 2011-06-09 13:21:48 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-09 18:21


Pre-Run: 24,770,555,904 bytes free

Post-Run: 25,834,139,648 bytes free



[boot loader]



[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn


- - End Of File - - 48DFC26AAAD3E88EB61BAD76F05E2142

Link to post
Share on other sites

The search redirections should have stopped now.

There are some older versions of Java on your computer. These can be a source of this infection.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 26 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u126 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_26 from Sun Microsystems Inc.



Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Deleted the old Java and I got as far as running the new version. After successful instal an error window popped up: Installer: Wrapper.CreateFile failed with error 5: Access is denied

I have not done anything after that, please advise if I should continue with your previous instruction.

Otherwise everuthing is acting normal.

Thanks again !

Link to post
Share on other sites

Here is the log from ESET;

C:\Program Files\TopSearch\TopSearch.dll Win32/Adware.Instafinder.B application

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1496\A0065802.dll Win32/Adware.WBug.A application

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1497\A0066870.sys Win32/Olmasco.E trojan

Link to post
Share on other sites

We'll remove one program folder and do so some house cleaning at the same time.

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    C:\Program Files\TopSearch\TopSearch.dll
    ipconfig /flushdns /c

  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Link to post
Share on other sites

Go ahead and shut it down, then do the following:

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK


As for Java. Go to the site below:


Scroll Down to:

Here's how to fix Java:

Follow the instructions there.

Then post the OTM\MovedFiles report.

Link to post
Share on other sites

Java installed after running MSFix, same error after install.

OTM Log:

All processes killed

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

DllUnregisterServer procedure not found in C:\Program Files\TopSearch\TopSearch.dll

C:\Program Files\TopSearch\TopSearch.dll moved successfully.

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\andre\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\andre\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully


User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: andre

->Temp folder emptied: 39448 bytes

->Temporary Internet Files folder emptied: 43025323 bytes

->Java cache emptied: 7802822 bytes

->Flash cache emptied: 1294896 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32768 bytes

User: Emily

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 2195587 bytes

->Flash cache emptied: 2476 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 65670 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 39097 bytes

%systemroot%\System32 .tmp files removed: 75436049 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 483 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33793 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 124.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version log created on 06142011_083930

Files moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

Purge old temporary files. Now that we are done.... :)

Please download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

You should keep TFC and run it once a week.

Your Computer is Clean


Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

It's a good idea to Flush your System Restore after removing malware and create a new restore point.


1. Go to Start > Programs > Accessories > System Tools and click "System Restore".

2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

3. Then go to Start > Run and type: Cleanmgr

4. Click "OK".

5. Click the "More Options" Tab.

6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.

How to Create a Restore Point.

How to use Cleanmgr.

Here are some additional links for you to check out to help you with your computer security.


Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Tips for Speeding Up Your PC

Visit My Blog for Malware and Spyware Tips


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.