[Inactive] browsers hijacked. search results redirect to ads when clicked.

[Hoov]

Are there any other logs in qoobox?

[doug1168w]

yes, this one from yesterday....



ComboFix 11-08-22.03 - mobile 08/22/2011  12:59:39.3.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3037.1811 [GMT -4:00]
Running from: c:\users\mobile\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2011-07-22 to 2011-08-22  )))))))))))))))))))))))))))))))
.
.
2011-08-22 17:28 . 2011-08-22 17:28   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-08-22 16:32 . 2011-08-22 16:32   --------   d-----w-   C:\_OTM
2011-08-22 11:48 . 2011-08-22 11:48   601424   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{258A6E42-A57D-4289-9DE7-FFF792AA1EF9}\gapaengine.dll
2011-08-22 11:48 . 2011-08-12 01:10   8862544   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3F2D6D6A-D182-4DAD-B277-E7A5C209D1D5}\mpengine.dll
2011-08-22 11:44 . 2011-08-22 11:44   --------   d-----w-   c:\program files (x86)\Microsoft Security Client
2011-08-22 11:43 . 2011-08-22 11:44   --------   d-----w-   c:\program files\Microsoft Security Client
2011-08-22 11:43 . 2010-04-09 11:06   374664   ----a-w-   c:\windows\system32\drivers\netio.sys
2011-08-22 08:52 . 2011-08-22 09:44   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2011-08-22 08:52 . 2011-08-22 08:55   --------   d-----w-   c:\program files (x86)\Spybot - Search & Destroy
2011-08-22 07:18 . 2011-08-22 04:50   16432   ----a-w-   c:\windows\system32\lsdelete.exe
2011-08-22 05:39 . 2011-02-18 06:33   31232   ----a-w-   c:\windows\system32\prevhost.exe
2011-08-22 05:39 . 2011-02-18 05:33   31232   ----a-w-   c:\windows\SysWow64\prevhost.exe
2011-08-22 05:10 . 2011-07-16 02:26   2048   ----a-w-   c:\windows\SysWow64\user.exe
2011-08-22 05:01 . 2011-06-21 06:27   1896832   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2011-08-22 05:01 . 2011-06-11 02:56   3134464   ----a-w-   c:\windows\system32\win32k.sys
2011-08-22 05:01 . 2011-06-23 05:29   5507968   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-08-22 05:01 . 2011-06-23 04:38   3957120   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2011-08-22 05:01 . 2011-06-23 04:38   3902336   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2011-08-22 04:50 . 2011-08-22 04:50   55384   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2011-08-22 04:46 . 2011-07-21 18:59   69376   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2011-08-22 04:46 . 2011-08-22 04:46   --------   d-----w-   c:\programdata\Lavasoft
2011-08-22 04:46 . 2011-08-22 04:46   --------   d-----w-   c:\program files (x86)\Lavasoft
2011-08-22 04:30 . 2011-08-22 04:30   --------   d-----w-   c:\users\mobile\AppData\Roaming\AVG10
2011-08-22 04:29 . 2011-08-22 09:50   --------   d-----w-   c:\programdata\AVG10
2011-08-22 04:29 . 2011-08-22 09:48   --------   d-----w-   c:\windows\system32\drivers\AVG
2011-08-22 04:28 . 2011-08-22 04:28   --------   d-----w-   c:\program files (x86)\AVG
2011-08-22 04:21 . 2011-08-22 04:21   --------   d--h--w-   c:\programdata\Common Files
2011-08-22 04:21 . 2011-08-22 09:48   --------   d-----w-   c:\programdata\MFAData
2011-08-22 04:11 . 2011-08-22 04:11   --------   d-----w-   c:\users\mobile\AppData\Local\Mozilla
2011-08-22 02:55 . 2011-08-16 12:48   8862544   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{BC9F8311-B2C4-4514-8611-D1B9FEFB723C}\mpengine.dll
2011-08-18 18:52 . 2011-08-18 18:52   --------   d--h--w-   c:\users\mobile\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-20 22:40 . 2011-07-20 22:40   0   ---ha-w-   c:\users\mobile\AppData\Local\BIT6C8E.tmp
2011-07-20 17:19 . 2011-07-20 17:19   0   ---ha-w-   c:\users\mobile\AppData\Local\BIT5C48.tmp
2011-07-16 04:32 . 2011-08-22 05:11   44032   ----a-w-   c:\windows\apppatch\acwow64.dll
2011-06-17 19:18 . 2011-06-17 19:18   404640   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2009-04-08 18:31 . 2009-04-08 18:31   106496   ----a-w-   c:\program files (x86)\Common Files\CPInstallAction.dll
2008-08-12 05:45 . 2008-08-12 05:45   155648   ----a-w-   c:\program files (x86)\Common Files\MSIactionall.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-08-22_16.15.11   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2011-08-22 16:13   16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-08-22 17:30   16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-08-22 17:30   32768              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-22 16:13   32768              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-22 16:13   16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-22 17:30   16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-01 20:34 . 2011-08-22 17:32   38290              c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-08-22 17:32   42710              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-05-06 23:45 . 2011-08-22 16:35   10662              c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4070619054-3913346633-2204758155-1001_UserData.bin
+ 2011-08-22 17:30 . 2011-08-22 17:30   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-22 16:13 . 2011-08-22 16:13   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-08-22 17:30 . 2011-08-22 17:30   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-08-22 16:13 . 2011-08-22 16:13   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2011-08-22 16:12   308556              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-08-22 17:29   308556              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-08-22 04:15 . 2011-08-22 17:29   1715972              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4070619054-3913346633-2204758155-1001-12288.dat
- 2009-07-14 02:34 . 2011-08-22 15:39   10485760              c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-08-22 16:28   10485760              c:\windows\system32\SMI\Store\Machine\schema.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 01:08   143360   ----a-w-   c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-07-13 498160]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-09-17 2245120]
"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2009-08-17 6859392]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMedia.exe" [2009-08-20 170624]
"Setwallpaper"="c:\programdata\SetWallpaper.cmd" [BU]
"googletalk"="c:\program files (x86)\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe [2010-3-1 12862]
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2010-3-1 156952]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy Software Installer.lnk - c:\program files\Best Buy Software Installer\Best Buy Software Installer.exe [2009-10-5 1132472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-11 136176]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-11 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys

S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe

S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-07-21 2151640]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys

S3 GUCI_AVS;ASUS USB2.0 UVC VGA WebCam;c:\windows\system32\DRIVERS\GUCI_AVS.sys

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-08-22 17152]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 18:59]
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-11 14:38]
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-11 14:38]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4070619054-3913346633-2204758155-1001Core.job
- c:\users\mobile\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-01 14:38]
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4070619054-3913346633-2204758155-1001UA.job
- c:\users\mobile\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-01 14:38]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:52   159744   ----a-w-   c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-ASUS_Screensaver - c:\windows\system32\ASUS_Screensaver.scr
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
c:\windows\AsScrPro.exe
.
**************************************************************************
.
Completion time: 2011-08-22  13:50:54 - machine was rebooted
ComboFix-quarantined-files.txt  2011-08-22 17:50
.
Pre-Run: 249,728,086,016 bytes free
Post-Run: 249,450,262,528 bytes free
.
- - End Of File - - 19AFB4722F6BCC15325B3BE9CDA7E2E6

[doug1168w]

here is a quarantine file


2011-08-22 17:48:46 . 2011-08-22 17:48:46              472 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-ASUS_Screensaver.reg.dat
2011-08-22 17:46:07 . 2011-08-22 17:46:08              171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-08-22 17:45:54 . 2011-08-22 17:45:55               92 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2011-08-22 16:24:11 . 2011-08-22 16:24:11               92 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-Setwallpaper.reg.dat
2011-08-22 16:23:06 . 2011-08-24 01:57:04              576 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-08-22 16:22:59 . 2011-08-24 01:56:57              104 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
2011-08-22 16:22:44 . 2011-08-22 17:37:57              236 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C}.reg.dat
2011-08-22 14:23:16 . 2011-08-24 01:37:06           19,226 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-08-22 13:56:41 . 2011-08-24 01:14:00              306 ----a-w-  C:\Qoobox\Quarantine\catchme.log

[Hoov]

Are you still being redirected?

[doug1168w]

yes, still redirected.  i can usually take care of little viruses myself....but this one is particularly malicious.  also, malewarebytes was running on my machine and was blocking ie from loading itself automatically...one of the problems....ie hasn't opened itself for awhile now...but i keep getting a dialog box which says roughly...error cant perform functon of some type in 32 or something like that in a malwarebytes box.  i am assuming that this is popping up when malewarebytes blocks ie from opening itself???  also, in add/remove programs there is a malwarebytes listed...but it won't uninstall...i tried yesterday just before running ComboFix.  probably nothing though?  right? 

[Hoov]

Can you get me the exact error message from Malwarebytes' Anti-Malware? It is something that we need to deal with, and it could be caused by the problem.

I would like you to start Firefox in Firefox safe mode using the instructions below, and tell me if you still get redirected when you use the search engine.

1.  Close down Firefox completely: At the top of the Firefox window, click the File menu, and select the Exit menu item.

2.  In Windows, click Start, open the All Programs list, and navigate to the Mozilla Firefox folder. In the Mozilla Firefox folder, select Mozilla Firefox (Safe Mode).

3.  Firefox should start up with a Firefox Safe Mode dialog.

4. Click Continue In Safe Mode. This starts Firefox in its Safe Mode. While you are in Safe Mode, your extensions and themes will be disabled, and any toolbar customizations will be reverted back to their defaults. These changes are not permanent - when you leave Safe Mode and start Firefox up normally, your extensions, themes, and settings will return to the state they were in before you entered Safe Mode.

[doug1168w]

i don't have a firefox safe mode option...so i open firefox in windows safe mode.
also, the virus is able to attempt to open IE windows in safe mode.
i get the malwarebytes message...i believe....whenever it stops IE from trying to load itself or trying to navigate to another domain. 

[doug1168w]

[open event] Failed to perform desired action. Error code: 2

that is the malwarebytes line.

[Hoov]

Firefox safe mode and starting firefox in windows safe mode are not the same. Please restart windows normally then Open firefox, then go to help and select start firefox with add-ons disabled , then try the search and let me know how it goes.

And for the Malwarebytes' Anti-Malware problem, follow the instructions in this thread.

[doug1168w]

ok, just did that procedure.  didn't even make it blink....still redirected.

[Hoov]

Where you able to fix Malwarebytes' Anti-Malware?

Download and scan with Spybot S&D 1.6.2
http://www.safer-networking.org/en/download/index.html

           1. Install Spybot. Be sure to UNCHECK TeaTimer when presented with the option to install.
           2. Run Spybot, go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
           3. Click the button "Search for Updates".
           4. If any updates are found, install them by placing a checkmark next to each one and clicking "Download Updates".If you encounter any error messages while downloading the updates, manually download them from here.
           5. Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
           6. Click the button "Check for Problems".
           7. When Spybot is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
           8. Make certain there is a check mark beside all of the RED entries ONLY.
           9. Choose "Fix Selected Problems" and allow Spybot to fix the RED entries.
          10. REBOOT to complete the scan and clear memory.

        Note: After Windows loads, Spybot may run again to clean some files that it could not clean during the prior session. Follow the same procedure.

[doug1168w]

yes, i followed your instructions and have malwarebytes running fine.  it is the only program thus far that is able to detect something is wrong and is actively blocking the browser from opening itself.  all others that i have tried have done nothing.

unfortunately, it hasn't helped my search results.

downloaded and ran spybot 1.6.2
it found some stuff...all were red and checked in the box.  fixed them.  rebooted.  no effect at all.  still redirected in searches.

[doug1168w]

ps..."[open error] Failed to perform desired action.  Error Code:2 " is back again.  it was fixed before.  i would just assume leave this alone...it at least lets me know when malwarebytes blocks an ie page from opening on its own. 

[Hoov]

Did you run the immunize feature in Spybot?

Please download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
• When the "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
• When the scan is done,  save the scan log to the Windows clipboard
• Open Notepad or a similar text editor
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it, please.
  
• Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.

[Hoov]

Also can you tell me do you have access to a clean computer with a CD burner or a thumbdrive about 1 GB or bigger in size?