BleepingComputer.com: Malware Logs

Hi. I have a computer that was hit pretty hard. I have been spending days cleaning it up. I have run Malwarebytes, full virus scans from norton, windows defender scans, panda scans, regcure, cyberdefender, unhack me and combo-fix. Most everything seems to be cleaned, except I still get re-directed when doing internet searches. For example, I run a search, click on one of the search results and it takes me to a site other than what I selected. If I click on back, then click on the search results again, I am actually sent to the I want. This happens with any search engine. I have now run the DDS and RootAppeal. I am posting the DDS log here and attached the attach.txt file. Thanks for any help!!


DDS (Ver_09-10-26.01) - NTFSx86
Run by Wells at 6:13:53.07 on Thu 11/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.202 [GMT -6:00]

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {CC9A41D3-7A0F-44E6-BDBF-8A71F537C18D}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas17.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\Kodak Utilities\PTS\Kodak Picture Transfer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Wells\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: H - No File
uURLSearchHooks: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\wells\local settings\application data\cyberdefender\cdmyidd.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\wells\local settings\application data\cyberdefender\cdmyidd.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\wells\local settings\application data\cyberdefender\cdmyidd.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CyberDefender Early Detection Center] "c:\program files\cyberdefender\antispyware\cdas17.exe" /minimize
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodakp~1.lnk - c:\program files\kodak\kodak utilities\pts\Kodak Picture Transfer.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256873153609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-11 28552]
R2 KODAK Picture Transfer Agent;Kodak picture transfer agent;c:\program files\kodak\kodak utilities\pts\Kodak Picture Transfer Service.exe [2007-3-13 163840]
R3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-11-11 67424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-31 102448]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-11-11 34760]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 sdAuxService;PC Tools Auxiliary Service; [x]

=============== Created Last 30 ================

2009-11-12 01:49:59 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-12 01:49:41 0 d-----w- c:\program files\Panda Security
2009-11-12 01:32:05 123 ----a-w- c:\windows\rootkitno.ini
2009-11-12 01:31:47 0 d-----w- C:\RootkitNO
2009-11-12 01:28:56 2 --shatr- c:\windows\winstart.bat
2009-11-12 01:28:29 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-11-12 01:28:29 32480 ----a-w- c:\windows\system32\Partizan.exe
2009-11-12 01:28:16 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-11-12 01:28:12 0 d-----w- c:\program files\UnHackMe
2009-11-12 00:47:26 69 ----a-w- c:\windows\st_affiliate.ini
2009-11-11 12:42:13 59 ----a-w- c:\windows\av_affiliate.ini
2009-11-11 12:42:11 59 ----a-w- c:\windows\as_affiliate.ini
2009-11-11 12:40:54 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2009-11-11 12:40:14 0 d-----w- c:\program files\CyberDefender
2009-11-11 12:15:09 0 d-----w- C:\VundoFix Backups
2009-11-11 07:07:15 872064 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-11 07:07:15 175104 ----a-w- c:\windows\system32\drivers\ftsata2.sys
2009-11-11 07:04:11 77312 ----a-w- c:\windows\MBR.exe
2009-11-11 07:04:11 267264 ----a-w- c:\windows\PEV.exe
2009-11-11 07:04:11 161792 ----a-w- c:\windows\SWREG.exe
2009-11-11 07:04:10 98816 ----a-w- c:\windows\sed.exe
2009-11-11 07:03:48 0 d-----w- C:\Combo-Fix
2009-11-11 07:02:07 0 d-----w- C:\SDFix
2009-11-11 06:57:17 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-11 03:59:24 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-11 03:45:42 0 d-----w- c:\docume~1\wells\applic~1\HPQ
2009-10-31 17:43:41 48816 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-31 17:43:41 109744 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-31 17:43:29 0 d-----w- c:\program files\Symantec AntiVirus
2009-10-31 17:41:49 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-10-31 17:41:49 56320 ------w- c:\windows\system32\eventlog.dll
2009-10-31 16:28:14 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-10-31 15:08:57 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2009-10-31 14:40:04 0 d-----w- c:\program files\Symantec
2009-10-31 14:39:54 0 d-----w- c:\program files\common files\Symantec Shared
2009-10-31 14:39:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2009-10-31 13:06:11 0 d-----w- c:\docume~1\wells\applic~1\Skinux
2009-10-31 13:05:59 0 d-----w- c:\docume~1\wells\applic~1\Malwarebytes
2009-10-31 13:04:42 0 d-----w- c:\docume~1\wells\applic~1\Intuit
2009-10-31 13:04:42 0 d-----w- c:\docume~1\wells\applic~1\Digital Interactive Systems Corporation
2009-10-31 02:20:53 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-31 02:15:09 0 d-----w- c:\program files\Windows Installer Clean Up
2009-10-31 02:15:04 0 d-----w- c:\program files\MSECACHE
2009-10-31 01:18:41 0 d-----w- c:\program files\RegZooka
2009-10-31 01:04:48 0 d-----w- c:\windows\system32\Registry Patrol
2009-10-31 01:04:22 0 d-----w- c:\program files\Registry Patrol
2009-10-30 18:53:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-30 18:53:02 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-10-30 01:53:49 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-10-30 01:53:46 0 d-----w- c:\program files\File Recover
2009-10-29 03:21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 03:21:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 03:21:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-17 14:27:31 0 ----a-w- c:\windows\Gjigevalanahifu.bin
2009-10-17 14:27:28 120 ----a-w- c:\windows\Ygabiyuwamoxo.dat
2009-10-17 14:24:00 99 ----a-w- c:\windows\system32\wwp.htm
2009-10-17 14:11:56 17307 ----a-w- c:\docume~1\alluse~1\applic~1\seza.dat
2009-10-17 14:11:56 15700 ----a-w- c:\windows\system32\topexyvefi._sy
2009-10-17 14:11:55 16496 ----a-w- c:\windows\yxyc.scr
2009-10-17 14:11:55 14475 ----a-w- c:\windows\nuxocuv.pif
2009-10-17 14:11:55 13456 ----a-w- c:\windows\hotid.exe
2009-10-17 14:11:55 10299 ----a-w- c:\windows\eliryhe.bin
2009-10-17 13:05:47 19147 ----a-w- c:\windows\unoxaf.scr
2009-10-17 13:05:47 17289 ----a-w- c:\windows\xihanamuf.lib
2009-10-17 13:05:47 15793 ----a-w- c:\windows\totahifuk.dat
2009-10-17 13:05:47 12673 ----a-w- c:\windows\alak.ban

==================== Find3M ====================

2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-17 14:11:55 13959 ----a-w- c:\program files\common files\exeqeta.lib
2009-10-17 13:05:47 11126 ----a-w- c:\program files\common files\pomijuzu.lib
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-14 13:21:25 1850624 ----a-w- c:\windows\system32\win32k.sys
2009-08-14 13:21:25 1850624 ------w- c:\windows\system32\dllcache\win32k.sys
2008-11-11 13:35:17 251 ----a-w- c:\program files\wt3d.ini

============= FINISH: 6:16:13.67 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

• Please download OTL from following mirror:
  • This is THE Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

Hello. After weeks of running every scan I could, I decided it was time to wipe the computer out and start over. I backed up all the files to dvd and have since restored the pc back to factory settings. Thank you for responding!

Since this topic appears to be resolved, I will now close it. Thanks for letting us know!

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti