[RESOLVED] Spyware that is Redirecting searches

i am using firefos and it is being redirected....

just downloaded firefox....still redirected....

no running reglooks...

i meant....now running reglooks.....will post log as soon as it is finished....

OK.

REGLOOKS logfile

version 0.977
Sun 10/05/2008 23:02:38.20
running from: "C:\Program Files\Mozilla Firefox"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
only standard or legit regkeys found


--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found


--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"


--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""


--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""


--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
only standard or legit regkeys found


--- RUN / LOAD regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"load"=""


--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autocheck autochk *\0\0


--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""


--- AUTORUN regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun"=""


--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
[Run\OptionalComponents]
@=""
[Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""
[Run\OptionalComponents\MSFS]
"Installed"="1"
@=""


--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found


--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKLM RunOnceEx keys found


--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
regkey does not exist


--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist


--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""


--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKCU RunOnce keys found


--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
regkey does not exist


--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
regkey does not exist


--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist


--- HKU\.DEFAULT\Run regkeys - Default user ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\.DEFAULT\Run keys found


--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-18\Run keys found


--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-19\Run keys found


--- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-20\Run keys found


--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
regkey does not exist


--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
regkey does not exist


--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" regkey not found (ERROR)
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.6.0_07\\bin\\ssv.dll"


--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
no toolbars found


--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found


--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"avast" CLSID ={472083B0-C522-11CF-8763-00608CC02F24} FILE ="C:\\Program Files\\Alwil Software\\Avast4\\ashShell.dll"
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
"avast" CLSID ={472083B0-C522-11CF-8763-00608CC02F24} FILE ="C:\\Program Files\\Alwil Software\\Avast4\\ashShell.dll"
"MBAMShlExt" CLSID ={57CE581A-0CB6-4266-9CA0-19364C90A0B3} FILE ="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbamext.dll"


--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
"AlternateShell"="cmd.exe"


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
TDSSserv.sys


--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
TDSSserv.sys


--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswFsBlk
"DisplayName"="aswFsBlk"
system32\DRIVERS\aswFsBlk.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswSP
"DisplayName"="avast! Self Protection"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BCM42XX
"DisplayName"="Broadcom iLine10(tm) Network Adapter Driver"
System32\DRIVERS\bcm42xx5.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BCMModem
"DisplayName"="BCM V.90 56K Modem"
System32\DRIVERS\BCMDM.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BVRPMPR5
"DisplayName"="BVRPMPR5 NDIS Protocol Driver"
\??\G:\INSTAL~E\Core\BVRPMPR5.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMICall
"DisplayName"="Sony DMI Call service"
System32\DRIVERS\DMICall.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot4
"DisplayName"="MS IEEE-1284.4 Driver"
System32\DRIVERS\Dot4.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot4Print
"DisplayName"="Print Class Driver for IEEE-1284.4"
System32\DRIVERS\Dot4Prt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPVNMon
"DisplayName"="Visual NDMonitor"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV
"DisplayName"="SASDIFSV"
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASENUM
"DisplayName"="SASENUM"
\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL
"DisplayName"="SASKUTIL"
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SonyFKC
"DisplayName"="FAN and Keyboard Control Service"
System32\Drivers\SonyFKC.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SONYWBMS
"DisplayName"="Sony Memory Stick controller(WB)"
System32\DRIVERS\SonyWBMS.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd
no imagepath value found

service TDSSserv NOT FOUND

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\V7
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wanatw
"DisplayName"="WAN Miniport (ATW)"
System32\DRIVERS\wanatw4.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{1665CEB2-B4F2-48E6-950A-6B3301B092A1}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7B67BCB7-F427-4663-8CEB-B22CCC5B5F18}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B4C1B459-0043-420B-B191-B320E3B13266}
no imagepath value found


--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService: DnsCache\0\0
netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0helpsvc\0WmdmPmSN\0xmlprov\0wscsvc\0\0
rpcss: RpcSs\0\0
imgsvc: StiSvc\0\0
termsvcs: TermService\0\0
HTTPFilter: HTTPFilter\0\0
DcomLaunch: DcomLaunch\0TermService\0\0
WudfServiceGroup: WUDFSvc\0\0


--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386


--- DNS SERVER regkeys ---

no "NameServer" values found


--- STARTUP FOLDERS ---

C:\Documents and Settings\Susheel\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini


--- TASK SCHEDULER JOBS ---

no .job files found


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


FINISHED

I don't see one damn thing responsible for redirections.

See, if you can run this...
Run the F-Secure online scan for Viruses, Spyware and RootKits: http://support.f-secure.com/enu/home/ols.shtml

This scanner works with Internet Explorer only

* Go to the F-Secure Online Virus Scanner
* Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
* Allow the Active X control to be installed on your computer, then click the Accept button
* Click Full System Scan and allow the components to download and the scan to complete.
* If malware is found, check Submit samples to F-Secure then select Automatic cleaning
* When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
* Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

* When the cleaning option is presented, Uncheck Submit samples to F-Secure
* Click Automatic cleaning
* When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
* Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log.

Note:

* This scan will only work with Internet Explorer
* You must have administrator rights to run this scan
* This scan can take over an hour so please be patient

OMG!!!!!!!!!!

I cant launch that link....i am blocked...i tried it in Internet Explorer.

I hope I have described my situation correctly....sorry - it seems that you are getting frustrated also...

I hope that it is a "redirection" issue...as that is what I think it is....

now when i type www.yahoo.com.....it defaults to www.m.yahoo.com....!?!?!?!?!?

i meant.....http://m.www.yahoo.com

Hmmmmm
Another try, if you can...

Download F-Secure Blacklight Rootkit Eliminator: http://www.pcworld.com/downloads/fil...l?tk=nl_ddxdwn to your desktop.
Double click on downloaded fsbl.exe file to run the program.
Accept agreement.
Click on Scan button.
When scan finishes, DO NOT attempt any fixes.
Find fsbl-***.log file on your desktop.
Open it in Notepad.
Copy the content, and paste it in your next reply.

10/06/08 08:06:20 [Info]: BlackLight Engine 1.0.70 initialized
10/06/08 08:06:20 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/06/08 08:06:21 [Note]: 7019 4
10/06/08 08:06:21 [Note]: 7005 0
10/06/08 08:06:33 [Note]: 7006 0
10/06/08 08:06:33 [Note]: 7011 1776
10/06/08 08:06:33 [Note]: 7035 0
10/06/08 08:06:33 [Note]: 7026 0
10/06/08 08:06:33 [Note]: 7026 0
10/06/08 08:06:39 [Note]: FSRAW library version 1.7.1024
10/06/08 08:06:50 [Note]: 2000 1012
10/06/08 08:06:50 [Note]: 2000 1012
10/06/08 08:07:04 [Note]: 7006 0
10/06/08 08:07:04 [Note]: 7011 1776
10/06/08 08:07:04 [Note]: 7035 0
10/06/08 08:07:04 [Note]: 7026 0
10/06/08 08:07:04 [Note]: 7026 0
10/06/08 08:07:09 [Note]: FSRAW library version 1.7.1024
10/06/08 08:07:20 [Note]: 2000 1012
10/06/08 08:07:20 [Note]: 2000 1012
10/06/08 08:07:51 [Note]: 7007 0

any further thoughts????

Nothing here.
Next step:
Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Attach the log to your next reply.

Failed to Connect

Firefox can't establish a connection to the server at www.gmer.net.

Though the site seems valid, the browser was unable to establish a connection.

* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.

i tried running it in Internet Explorer also.....and it didnt work there either.....