Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searches(Yahoo, Google, etc.) are being redirected


  • This topic is locked This topic is locked
14 replies to this topic

#1 joshrwtn

joshrwtn

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 17 April 2009 - 05:43 PM

Hello everyone, let me start out by thanking you in advance for your help. I'm not real sure what happened but now my computer in acting really sluggish and my searches are being redirected. For example, one of the redirects I keep getting is: hxxp://www.cowsurvey.com/?sub=51&pub=2...p;cid=374355629. Now I like cows as much as the next guy, but this is getting annoying. I'm including the DDS logs, and would appreciate any and all help getting my computer back in shape!!! Thank you again , in advance for your help, JOSH



DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 18:36:59.56 on Fri 04/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2372 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://youtube.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\icoset\adjust.bat seticon
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238546702375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\u3b95r1m.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-15 64160]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-4-5 213520]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-3-7 8576]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 206088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]

=============== Created Last 30 ================

2009-04-16 21:46 <DIR> --d----- C:\HIjack This
2009-04-16 21:46 <DIR> --d----- C:\New Folder
2009-04-16 01:05 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-16 00:58 <DIR> --d----- c:\program files\Safer Networking
2009-04-16 00:56 <DIR> --d----- c:\program files\Panda Security
2009-04-16 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Geek Squad
2009-04-16 00:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-16 00:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-16 00:15 <DIR> --d----- C:\Deckard
2009-04-15 21:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-15 21:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-15 20:57 <DIR> --d----- c:\documents and settings\hp_administrator\.SunDownloadManager
2009-04-15 08:05 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-15 02:11 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-15 02:10 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-15 02:10 <DIR> --d----- c:\program files\Lavasoft
2009-04-15 02:05 <DIR> --d----- c:\program files\CCleaner
2009-04-14 23:54 <DIR> a-dshr-- C:\cmdcons
2009-04-12 00:40 10,053,599 a------- C:\addicted.flv
2009-04-08 02:13 <DIR> --d----- C:\church flash
2009-04-06 22:57 456,016 a------- C:\NightclubInterior.mp3
2009-04-05 00:07 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-04-05 00:07 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-04-05 00:06 3,498,016 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-05 00:06 622,624 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-05 00:06 32,600 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-05 00:06 4,256 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-05 00:06 <DIR> --d----- c:\program files\Kaspersky Lab
2009-04-05 00:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-04-04 23:47 <DIR> --d----- c:\documents and settings\hp_administrator\DoctorWeb
2009-04-04 02:40 <DIR> --d----- C:\temp
2009-04-04 02:18 161,792 a------- c:\windows\SWREG.exe
2009-04-04 02:18 98,816 a------- c:\windows\sed.exe
2009-04-04 02:09 <DIR> --d----- c:\windows\pss
2009-04-04 01:14 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-04-04 01:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-04 01:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 01:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-04 01:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 20:55 <DIR> --d----- C:\!FixIEDef
2009-04-03 20:54 <DIR> --d----- C:\SDFix
2009-04-03 20:43 <DIR> --d----- C:\VundoFix Backups
2009-04-03 20:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-04-03 20:15 <DIR> --d----- c:\program files\common files\iS3
2009-04-03 20:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-04-01 00:44 <DIR> --d----- c:\program files\Google Hacks
2009-03-31 20:50 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-31 20:46 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-03-31 20:46 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-03-31 20:45 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-03-31 20:45 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-03-31 20:45 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-31 01:15 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\NetMedia Providers
2009-03-31 01:13 33,340 -------- c:\windows\system32\dbmsqlgc.dll
2009-03-31 01:13 24,576 -------- c:\windows\system32\dbmsgnet.dll
2009-03-31 01:13 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-03-28 23:18 <DIR> --d----- C:\3-29-2009
2009-03-28 23:17 <DIR> --d----- c:\documents and settings\hp_administrator\dwhelper
2009-03-28 19:16 <DIR> --d----- C:\Passion
2009-03-24 00:21 172,872 a------- C:\MVI_3887 Take 2 Take 2.sfk
2009-03-24 00:21 22,119,180 a------- C:\MVI_3887 Take 2 Take 2.wav
2009-03-24 00:19 172,872 a------- C:\MVI_3887 Take 2.sfk
2009-03-24 00:19 22,119,180 a------- C:\MVI_3887 Take 2.wav
2009-03-23 23:47 22,440 a------- C:\MVI_3887.AVI.sfk
2009-03-23 23:36 2,748 a------- C:\MVI_3889.AVI.sfk
2009-03-23 23:36 6,716 a------- C:\MVI_3888.AVI.sfk
2009-03-23 23:35 7,168 a--sh--- c:\windows\Thumbs.db
2009-03-23 23:35 18,432 a--sh--- C:\Thumbs.db
2009-03-23 23:18 39,226,300 a------- C:\MVI_3895.AVI
2009-03-23 23:17 21,907,278 a------- C:\MVI_3894.AVI
2009-03-23 23:17 4,570,984 a------- C:\MVI_3893.AVI
2009-03-23 23:14 243,651,524 a------- C:\MVI_3887.AVI
2009-03-23 23:11 168,718,928 a------- C:\MVI_3891.AVI
2009-03-23 23:09 70,392,700 a------- C:\MVI_3890.AVI
2009-03-23 23:09 21,923,592 a------- C:\MVI_3889.AVI
2009-03-23 23:07 53,001,224 a------- C:\MVI_3888.AVI
2009-03-23 23:03 <DIR> --d----- C:\utube
2009-03-22 01:27 13,030 a------- C:\PDOXUSRS.NET
2009-03-21 22:52 210,032 a------- c:\windows\system32\DBCLIENT.DLL
2009-03-21 22:52 183,808 a------- c:\windows\system32\BDEADMIN.CPL
2009-03-21 22:51 <DIR> --d----- c:\program files\common files\Borland Shared
2009-03-21 22:51 <DIR> --d----- c:\program files\Softouch
2009-03-20 10:50 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-03-20 10:50 <DIR> --d----- c:\windows\Cache
2009-03-20 10:50 <DIR> --d----- c:\program files\Coupons

==================== Find3M ====================

2009-04-16 10:41 47,616 a------- c:\windows\system32\vadibuvo.dll.tmp
2009-04-05 00:20 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-03-07 03:50 720,896 a------- c:\windows\iun6002ev.exe
2009-03-07 03:41 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-07 03:41 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2009-03-07 01:38 112,942 a------- c:\windows\hpoins07.dat
2009-03-06 12:29 1,801 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_ED895AA-ABA a1210n_YC_0Pavi_QCNH537_E54NAsyMPC1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.15_T070125_WXP2_L409_M3071_J500_7AMD_8Athlon 64_92.19_#090305_N10EC8139_Z_G.MRK
2009-03-04 21:16 92,191 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-04 21:16 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll
2009-03-04 21:16 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-03-04 21:16 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-03-04 21:16 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-03-04 21:16 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-03-04 21:16 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-03-04 21:16 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-03-04 21:16 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-03-04 21:14 118,842 a----r-- c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
2009-03-04 21:13 14,289 a------- c:\windows\system32\CHODDI.SYS
2009-03-04 20:50 80,418 a------- c:\windows\HPHins08.dat
2009-03-04 20:45 72,881 a------- c:\windows\hpiins01.dat
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 18:37:40.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 02 May 2009 - 04:02 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 joshrwtn

joshrwtn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 03 May 2009 - 08:26 AM

Thank you for your reply, it is still redirecting my google searches randomly. I am reposting a DDS log and I will wait for further instructions. Thank you Josh

DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 9:20:26.31 on Sun 05/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2104 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://youtube.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.16.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\icoset\adjust.bat seticon
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.16.0\gears.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238546702375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\u3b95r1m.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\u3b95r1m.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-15 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-16 28544]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-4-5 213520]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-3-7 8576]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 206088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 gupdate1c9c2375963bece;Google Update Service (gupdate1c9c2375963bece);c:\program files\google\update\GoogleUpdate.exe [2009-4-21 133104]

=============== Created Last 30 ================

2009-04-24 00:21 <DIR> --d----- c:\program files\VASST
2009-04-24 00:14 6,724,425 a------- C:\picture in picture.flv
2009-04-23 23:31 3,037,037 a------- C:\chroma screen.flv
2009-04-22 23:03 857,257 a------- C:\CelticSilhouette.flv
2009-04-22 23:03 927,150 a------- C:\CrownThornsSilhouette.flv
2009-04-22 23:02 7,334,750 a------- C:\ChristmasArtwork.flv
2009-04-22 23:02 1,167,727 a------- C:\HandsTogether.flv
2009-04-22 23:02 632,832 a------- C:\SandFootprints.flv
2009-04-22 23:01 1,720,367 a------- C:\WorshipFlourish.flv
2009-04-22 23:01 1,289,581 a------- C:\StarTree.flv
2009-04-22 22:58 1,151,848 a------- C:\CrossVines2.flv
2009-04-22 22:58 873,956 a------- C:\MaryBaby.flv
2009-04-22 22:57 1,291,989 a------- C:\TreeCutOut.flv
2009-04-22 22:56 590,816 a------- C:\Fish.flv
2009-04-22 22:55 444,574 a------- C:\FallsClose.flv
2009-04-21 23:02 45,633,241 a------- C:\ferris wheel.mp4
2009-04-21 01:06 <DIR> --d----- C:\Easy Worship
2009-04-16 21:46 <DIR> --d----- C:\HIjack This
2009-04-16 21:46 <DIR> --d----- C:\New Folder
2009-04-16 01:05 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-16 00:58 <DIR> --d----- c:\program files\Safer Networking
2009-04-16 00:56 <DIR> --d----- c:\program files\Panda Security
2009-04-16 00:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-16 00:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-16 00:15 <DIR> --d----- C:\Deckard
2009-04-15 21:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-15 21:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-15 20:57 <DIR> --d----- c:\documents and settings\hp_administrator\.SunDownloadManager
2009-04-15 08:05 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-15 02:11 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-15 02:10 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-15 02:10 <DIR> --d----- c:\program files\Lavasoft
2009-04-15 02:05 <DIR> --d----- c:\program files\CCleaner
2009-04-14 23:54 <DIR> a-dshr-- C:\cmdcons
2009-04-12 00:40 10,053,599 a------- C:\addicted.flv
2009-04-08 02:13 <DIR> --d----- C:\church flash
2009-04-06 22:57 456,016 a------- C:\NightclubInterior.mp3
2009-04-05 00:07 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-04-05 00:07 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-04-05 00:06 3,508,768 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-05 00:06 639,008 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-05 00:06 32,684 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-05 00:06 4,312 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-05 00:06 <DIR> --d----- c:\program files\Kaspersky Lab
2009-04-05 00:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-04-04 23:47 <DIR> --d----- c:\documents and settings\hp_administrator\DoctorWeb
2009-04-04 02:40 <DIR> --d----- C:\temp
2009-04-04 02:18 161,792 a------- c:\windows\SWREG.exe
2009-04-04 02:18 98,816 a------- c:\windows\sed.exe
2009-04-04 02:09 <DIR> --d----- c:\windows\pss
2009-04-04 01:14 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-04-04 01:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-04 01:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 01:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-04 01:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 20:55 <DIR> --d----- C:\!FixIEDef
2009-04-03 20:54 <DIR> --d----- C:\SDFix
2009-04-03 20:43 <DIR> --d----- C:\VundoFix Backups
2009-04-03 20:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-04-03 20:15 <DIR> --d----- c:\program files\common files\iS3
2009-04-03 20:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!

==================== Find3M ====================

2009-04-16 10:41 47,616 a------- c:\windows\system32\vadibuvo.dll.tmp
2009-04-05 00:20 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-03-07 03:50 720,896 a------- c:\windows\iun6002ev.exe
2009-03-07 03:41 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-07 03:41 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2009-03-07 01:38 112,942 a------- c:\windows\hpoins07.dat
2009-03-06 12:29 1,801 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_ED895AA-ABA a1210n_YC_0Pavi_QCNH537_E54NAsyMPC1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.15_T070125_WXP2_L409_M3071_J500_7AMD_8Athlon 64_92.19_#090305_N10EC8139_Z_G.MRK
2009-03-04 21:16 92,191 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-04 21:16 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll
2009-03-04 21:16 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-03-04 21:16 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-03-04 21:16 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-03-04 21:16 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-03-04 21:16 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-03-04 21:16 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-03-04 21:16 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-03-04 21:14 118,842 a----r-- c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
2009-03-04 21:13 14,289 a------- c:\windows\system32\CHODDI.SYS
2009-03-04 20:50 80,418 a------- c:\windows\HPHins08.dat
2009-03-04 20:45 72,881 a------- c:\windows\hpiins01.dat
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 9:21:28.32 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 03 May 2009 - 10:48 AM

Hello.

We will start off with Combofix and another tool. Please follow the instructions from TOP to BOTTOM.

Install Recovery Console and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :dir
    %userprofile%\Local Settings\Application Data
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Question: Is the redirect in FF, IE or Both? Also, is there any specfic links you get redirected to if there are still redirects after running Combofix and Systemlookup?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 joshrwtn

joshrwtn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 03 May 2009 - 02:02 PM

First of all let me thank you for your help. I have noticed it in both Firefox & IE. It doesn't seem to be any specific site either as it is always a different one. Here are my combofix & Systemlook logs. Please advise on my next job. Thank you.

ComboFix 09-05-02.4 - HP_Administrator 05/03/2009 14:49.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2566 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-02 04:49 . 2009-05-02 04:49 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-04-24 04:21 . 2009-04-24 04:21 -------- d-----w c:\program files\VASST
2009-04-24 02:30 . 2009-04-24 02:30 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-21 05:06 . 2009-04-21 05:07 -------- d-----w C:\Easy Worship
2009-04-21 04:12 . 2009-04-21 04:12 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-17 01:46 . 2009-04-17 01:46 -------- d-----w C:\HIjack This
2009-04-17 01:46 . 2009-04-17 01:46 -------- d-----w C:\New Folder
2009-04-16 11:34 . 2009-04-16 11:34 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Identities
2009-04-16 05:05 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-16 04:58 . 2009-04-16 04:58 -------- d-----w c:\program files\Safer Networking
2009-04-16 04:56 . 2009-04-16 04:56 -------- d-----w c:\program files\Panda Security
2009-04-16 04:26 . 2009-02-20 18:09 63488 ------w c:\windows\system32\dllcache\icardie.dll
2009-04-16 04:26 . 2009-02-20 18:09 268288 ------w c:\windows\system32\dllcache\iertutil.dll
2009-04-16 04:26 . 2009-02-20 10:20 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-04-16 04:26 . 2009-02-20 18:09 52224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-16 04:26 . 2009-02-20 18:09 459264 ------w c:\windows\system32\dllcache\msfeeds.dll
2009-04-16 04:26 . 2008-07-09 14:25 2455488 ------w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-16 04:26 . 2009-02-20 18:09 383488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-16 04:26 . 2009-02-20 18:09 6066176 ------w c:\windows\system32\dllcache\ieframe.dll
2009-04-16 04:22 . 2009-04-16 04:29 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 04:22 . 2009-04-16 04:35 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 04:15 . 2009-04-16 04:15 -------- d-----w C:\Deckard
2009-04-16 01:04 . 2009-04-16 01:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-16 00:57 . 2009-04-16 01:00 -------- d-----w c:\documents and settings\HP_Administrator\.SunDownloadManager
2009-04-15 12:05 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-15 06:11 . 2009-04-22 06:11 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-15 06:11 . 2009-04-22 06:12 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-15 06:10 . 2009-04-15 06:10 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-15 06:10 . 2009-04-15 06:10 -------- d-----w c:\program files\Lavasoft
2009-04-15 06:10 . 2009-04-15 06:11 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-15 06:05 . 2009-04-15 06:05 -------- d-----w c:\program files\CCleaner
2009-04-08 06:13 . 2009-04-12 05:36 -------- d-----w C:\church flash
2009-04-05 04:07 . 2009-04-05 04:20 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-05 04:07 . 2009-04-05 04:20 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-05 04:06 . 2009-05-03 12:36 3508768 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-05 04:06 . 2009-04-24 03:00 639008 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-05 04:06 . 2009-04-05 04:06 -------- d-----w c:\program files\Kaspersky Lab
2009-04-05 04:06 . 2009-05-03 13:41 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-05 03:47 . 2009-04-05 03:47 -------- d-----w c:\documents and settings\HP_Administrator\DoctorWeb
2009-04-04 14:21 . 2009-04-04 14:25 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\ImgBurn
2009-04-04 14:15 . 2009-04-04 14:15 -------- d-----w c:\program files\ImgBurn
2009-04-04 06:40 . 2009-05-03 12:53 -------- d-----w C:\temp
2009-04-04 05:14 . 2009-04-04 05:14 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-04 05:14 . 2009-01-14 21:11 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 05:14 . 2009-01-14 21:11 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 05:14 . 2009-04-04 05:14 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 05:14 . 2009-04-04 05:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-04 03:38 . 2009-04-04 03:38 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sonic
2009-04-04 03:38 . 2009-04-04 03:38 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Leadertech
2009-04-04 00:55 . 2009-04-04 00:55 -------- d-----w C:\!FixIEDef
2009-04-04 00:54 . 2009-04-16 04:05 -------- d-----w C:\SDFix
2009-04-04 00:43 . 2009-04-04 00:43 -------- d-----w C:\VundoFix Backups
2009-04-04 00:16 . 2009-04-04 00:16 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-04 00:15 . 2009-04-04 00:15 -------- d-----w c:\program files\Common Files\iS3
2009-04-04 00:15 . 2009-04-04 00:59 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 18:48 . 2005-06-07 13:57 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 13:38 . 2009-04-21 04:12 882 ----a-w c:\windows\Tasks\GoogleUpdateTaskMachine.job
2009-05-03 12:36 . 2009-04-05 04:06 32684 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-01 06:11 . 2009-03-08 21:21 -------- d-----w c:\program files\CoffeeCup Software
2009-04-29 06:11 . 2009-04-15 06:12 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-29 00:01 . 2009-04-05 04:06 4312 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-22 20:28 . 2009-03-05 01:21 -------- d-----w c:\program files\Google
2009-04-16 14:41 . 2009-01-03 22:56 47616 ----a-w c:\windows\system32\vadibuvo.dll.tmp
2009-04-16 01:04 . 2009-03-05 00:30 -------- d-----w c:\program files\Java
2009-04-05 04:20 . 2008-01-29 23:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-01 04:44 . 2009-04-01 04:44 -------- d-----w c:\program files\Google Hacks
2009-03-31 05:13 . 2009-03-31 05:13 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-31 05:11 . 2009-03-07 07:35 -------- d-----w c:\program files\Sony
2009-03-31 05:10 . 2009-03-07 07:28 -------- d-----w c:\program files\Sony Setup
2009-03-28 04:09 . 2009-03-08 03:06 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-22 02:51 . 2009-03-22 02:51 -------- d-----w c:\program files\Common Files\Borland Shared
2009-03-22 02:51 . 2009-03-22 02:51 -------- d-----w c:\program files\Softouch
2009-03-21 02:38 . 2009-03-06 16:27 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2009-03-20 14:50 . 2009-03-20 14:50 -------- d-----w c:\program files\Coupons
2009-03-12 00:10 . 2009-03-12 00:10 -------- d-----w c:\program files\Yahoo!
2009-03-10 02:17 . 2009-03-10 02:17 -------- d-----w c:\program files\Lavalys
2009-03-08 21:22 . 2009-03-05 00:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 05:41 . 2009-03-07 07:51 10 ----a-w c:\windows\popcinfo.dat
2009-03-07 08:06 . 2009-03-07 08:06 0 ----a-w c:\windows\nsreg.dat
2009-03-07 08:06 . 2009-03-07 08:06 -------- d-----w c:\program files\Softland
2009-03-07 08:03 . 2009-03-05 01:05 -------- d-----w c:\program files\Microsoft Works
2009-03-07 07:59 . 2009-03-07 07:59 -------- d-----w c:\program files\The Game Creators
2009-03-07 07:50 . 2009-03-07 07:50 -------- d-----w c:\program files\GameHouse
2009-03-07 07:50 . 2009-03-07 07:50 -------- d-----w c:\program files\Bejeweled 2 Deluxe
2009-03-07 07:50 . 2009-03-07 07:50 720896 ----a-w c:\windows\iun6002ev.exe
2009-03-07 07:46 . 2009-03-07 07:46 -------- d-----w c:\program files\DVD Shrink
2009-03-07 07:43 . 2009-03-07 07:41 -------- d-----w c:\program files\DVDFab 5
2009-03-07 07:41 . 2009-03-07 07:41 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-07 07:41 . 2009-03-07 07:41 47360 ----a-w c:\documents and settings\HP_Administrator\Application Data\pcouffin.sys
2009-03-07 07:35 . 2009-03-07 07:35 -------- d-----w c:\program files\Vstplugins
2009-03-07 07:26 . 2009-03-07 07:23 -------- d-----w c:\program files\Common Files\Ahead
2009-03-07 07:23 . 2009-03-07 07:23 -------- d-----w c:\program files\Nero
2009-03-07 07:18 . 2009-03-07 07:18 -------- d-----w c:\program files\Error Repair Professional
2009-03-07 07:16 . 2009-03-07 07:16 -------- d-----w c:\program files\Audacity
2009-03-07 05:38 . 2009-03-07 05:38 86816 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-07 05:38 . 2009-03-05 00:50 112942 ----a-w c:\windows\hpoins07.dat
2009-03-07 05:29 . 2009-03-05 01:03 -------- d-----w c:\program files\Common Files\Adobe
2009-03-07 05:22 . 2009-03-07 05:22 -------- d-----w c:\program files\Microsoft.NET
2009-03-07 04:19 . 2009-03-07 04:19 -------- d-----w c:\program files\VRanger
2009-03-07 04:18 . 2009-03-05 01:07 -------- d-----w c:\program files\QuickTime
2009-03-07 04:17 . 2009-03-05 01:18 -------- d-----w c:\program files\Easy Internet signup
2009-03-07 04:16 . 2009-03-05 01:11 -------- d-----w c:\program files\Quicken
2009-03-07 03:43 . 2009-03-07 03:43 -------- d-----w c:\program files\Toddler Keys
2009-03-07 01:32 . 2009-03-07 01:32 -------- d-----w c:\program files\oZone3D
2009-03-06 16:29 . 2009-03-06 16:29 1801 --sha-r c:\windows\system32\drivers\103C_HP_CPC_ED895AA-ABA a1210n_YC_0Pavi_QCNH537_E54NAsyMPC1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.15_T070125_WXP2_L409_M3071_J500_7AMD_8Athlon 64_92.19_#090305_N10EC8139_Z_G.MRK
2009-03-05 01:31 . 2009-03-05 01:02 -------- d-----w c:\program files\Hewlett-Packard
2009-03-05 01:17 . 2009-03-05 01:17 -------- d-----w c:\program files\PC-Doctor for DOS
2009-03-05 01:16 . 2004-11-17 18:31 92191 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-05 01:16 . 2009-03-05 01:16 61440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-03-05 01:16 . 2009-03-05 01:16 45056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-03-05 01:16 . 2009-03-05 01:16 44032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-03-05 01:16 . 2009-03-05 01:16 40960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-03-05 01:16 . 2009-03-05 01:16 32768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-03-05 01:16 . 2009-03-05 01:16 32768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-03-05 01:16 . 2009-03-05 01:16 287310 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll
2009-03-05 01:16 . 2009-03-05 01:16 163840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-03-05 01:14 . 2009-03-05 01:14 118842 ----a-r c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
2009-03-05 01:14 . 2009-03-05 01:14 -------- d-----w c:\program files\Updates from HP
2009-03-05 01:13 . 2009-03-05 01:13 14289 ----a-w c:\windows\system32\CHODDI.SYS
2009-03-05 01:10 . 2009-03-05 01:09 -------- d-----w c:\program files\muvee Technologies
2009-03-05 01:10 . 2009-03-05 01:10 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-03-05 01:09 . 2009-03-05 00:39 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-05 01:07 . 2009-03-05 01:07 -------- d-----w c:\program files\iTunes
2009-03-05 01:07 . 2009-03-05 01:07 -------- d-----w c:\program files\iPod
2009-03-05 01:03 . 2009-03-05 01:03 -------- d-----w c:\program files\IntelliMover Data Transfer Demo
2009-03-05 01:02 . 2009-03-05 01:02 -------- d-----w c:\program files\Common Files\InterVideo
2009-03-05 01:02 . 2009-03-05 01:02 -------- d-----w c:\program files\InterVideo
2009-03-05 01:01 . 2009-03-05 01:01 -------- d-----w c:\program files\Common Files\TiVo Shared
2009-03-05 01:01 . 2009-03-05 00:56 -------- d-----w c:\program files\Sonic
2009-03-05 01:00 . 2009-03-06 16:26 136 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
2009-03-05 01:00 . 2009-03-05 01:00 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-03-05 01:00 . 2009-03-05 00:59 -------- d-----w c:\program files\EnglishOtto
2009-03-05 00:59 . 2009-03-05 00:57 -------- d-----w c:\program files\WildTangent
2009-03-05 00:56 . 2009-03-05 00:56 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-03-05 00:56 . 2009-03-05 00:49 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-05 00:55 . 2009-03-05 00:55 -------- d-----w c:\program files\Common Files\xing shared
2009-03-05 00:55 . 2009-03-05 00:55 -------- d-----w c:\program files\Common Files\Real
2009-03-05 00:55 . 2009-03-05 00:55 -------- d-----w c:\program files\Real
2009-03-05 00:55 . 2009-03-05 00:55 -------- d-----w c:\program files\MSN Encarta Standard
2009-03-05 00:51 . 2009-03-05 00:51 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-05 00:50 . 2009-03-05 00:45 80418 ----a-w c:\windows\HPHins08.dat
2009-03-05 00:48 . 2009-03-05 00:48 -------- d-----w c:\program files\Common Files\HP
2009-03-05 00:46 . 2009-03-05 00:43 -------- d-----w c:\program files\HP
2009-03-05 00:45 . 2009-03-05 00:43 72881 ----a-w c:\windows\hpiins01.dat
2009-03-05 00:30 . 2009-03-05 00:30 -------- d-----w c:\program files\Common Files\Java
2009-03-03 00:18 . 2009-03-04 17:02 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-03-04 09:56 78336 ------w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-11 59392]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-05 180269]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-04-05 206088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-22 516440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-16 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-25 1630208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 gupdate1c9c2375963bece;Google Update Service (gupdate1c9c2375963bece);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-21 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-22 953168]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-05 33808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-22 64160]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-14 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8376d72e-0aca-11de-aab1-0013d4bf3688}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a535cdbe-0a8f-11da-8062-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 06:11]

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-21 04:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://youtube.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\u3b95r1m.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\u3b95r1m.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 14:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\msi.dll
c:\windows\system32\mshtml.dll
.
Completion time: 2009-05-03 14:53
ComboFix-quarantined-files.txt 2009-05-03 18:53
ComboFix2.txt 2009-04-16 01:12

Pre-Run: 238,081,392,640 bytes free
Post-Run: 238,381,166,592 bytes free

278

------------------------------------------------------------------------------------------------------------------------------------------------



SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 14:56 on 03/05/2009 by HP_Administrator (Administrator - Elevation successful)

========== dir ==========

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data - Parameters: "(none)"

---Files---
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini --a--- 93184 bytes [03:48 07/03/2009] [00:28 30/04/2009]
fusioncache.dat --a--- 139 bytes [16:27 06/03/2009] [02:38 21/03/2009]
GDIPFONTCACHEV1.DAT --a--- 86816 bytes [05:38 07/03/2009] [05:38 07/03/2009]
IconCache.db --ah-- 4236752 bytes [16:27 06/03/2009] [20:39 06/03/2009]

---Folders---
Adobe d----- [07:55 07/03/2009]
Ahead d----- [21:41 06/03/2009]
Apple Computer d----- [16:27 06/03/2009]
ApplicationHistory d----- [16:27 06/03/2009]
Google d----- [16:27 06/03/2009]
HP d----- [02:38 21/03/2009]
Identities d----- [11:34 16/04/2009]
IsolatedStorage d----- [02:38 21/03/2009]
Microsoft d----- [16:27 06/03/2009]
Microsoft Help d----- [05:20 07/03/2009]
Mozilla d----- [08:06 07/03/2009]
Sony d----- [07:37 07/03/2009]
Yahoo d----- [00:20 12/03/2009]
{3248F0A6-6813-11D6-A77B-00B0D0150000} d----- [16:27 06/03/2009]

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32]
"midi"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"msacm.ac3acm"="ac3acm.acm"
"msacm.iac2"="C:\WINDOWS\system32\iac25_32.ax"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="C:\WINDOWS\system32\l3codeca.acm"
"msacm.lameacm"="lameACM.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msg723"="msg723.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.trspch"="tssoft32.acm"
"VIDC.CFHD"="cfhd.dll"
"vidc.cvid"="iccvid.dll"
"VIDC.DIVX"="divx.dll"
"VIDC.FFDS"="ff_vfw.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iv50"="ir50_32.dll"
"vidc.iyuv"="iyuv_32.dll"
"vidc.LEAD"="LCODCCMP.DLL"
"vidc.M261"="msh261.drv"
"vidc.M263"="msh263.drv"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"VIDC.XVID"="xvidvfw.dll"
"vidc.yuy2"="msyuv.dll"
"VIDC.YV12"="yv12vfw.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wave"="wdmaud.drv"
"wavemapper"="msacm32.drv"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32\Terminal Server]


-=End Of File=-

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 03 May 2009 - 02:52 PM

Hello again.

Combofix was ran 5 times. It should only be runned once unless stated otherwise.

Please delete Combofix.exe you currently have and re-download it from one of those links and save it to your desktop.

Now do the following.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\system32\vadibuvo.dll.tmp
    c:\windows\system32\drivers\pavboot.sys 
    Folder::
    C:\VundoFix Backups
    C:\SDFix
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a535cdbe-0a8f-11da-8062-806d6172696f}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8376d72e-0aca-11de-aab1-0013d4bf3688}]
    DirLook::
    c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150000}
    Driver::
    pavboot
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run GooredFix using Option1 (Scanning)
  • Please download GooredFix and save it to your Desktop.
    Alternative Download Mirror #2
  • Double-click Goored.exe to run it.
  • A window shall open, please Select 1. [Find Goored (no fix)] by typing 1 and pressing Enter. It will begin scanning.
  • A log will open once it is complete, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop, called Goored.txt
Please Do not run Option #2 yet.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Post back with:
-Combofix log
-Goored Log
-MBAM log

Just to confirm, you still have google redirects correct? I would still like you to give me at least 2-3 sites you get redirected just for mine information. Please "kill" the link by replacing the tt in http with xx so it is unclickable. EG: hxxp:\\www.google.ca

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 joshrwtn

joshrwtn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 03 May 2009 - 04:06 PM

Well just like an intermittent car problem never shows up when you are at the repair shop, it is not redirecting now. Just to be on the safe side I am including the logs you requested. Please advise on what to do further. Thank you, Josh

ComboFix 09-05-03.1 - HP_Administrator 05/03/2009 16:09.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2523 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*

FILE ::
c:\windows\system32\drivers\pavboot.sys
c:\windows\system32\vadibuvo.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
c:\sdfix\Add_DBFix_RunOnce_key.inf
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\Cghtme.exe
c:\sdfix\apps\clb1.txt
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\CSweg.exe
c:\sdfix\apps\DBFix.inf
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.inf
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBeep.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\Installed.txt
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\command.com
c:\sdfix\apps\Replace\w2k\command.PIF
c:\sdfix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\command.com
c:\sdfix\apps\Replace\xp\command.PIF
c:\sdfix\apps\Replace\xp\CONFIG.NT
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\Swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\UnRAR.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\catchme.exe
c:\sdfix\DBFix.bat
c:\sdfix\dummy.sys
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\W2K_VirusAlert_Repair.inf
c:\sdfix\XP_VirusAlert_Repair.inf
C:\VundoFix Backups
c:\windows\system32\drivers\pavboot.sys
c:\windows\system32\vadibuvo.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PAVBOOT
-------\Service_pavboot


((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-02 04:49 . 2009-05-02 04:49 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-04-24 04:21 . 2009-04-24 04:21 -------- d-----w c:\program files\VASST
2009-04-24 02:30 . 2009-04-24 02:30 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-21 05:06 . 2009-04-21 05:07 -------- d-----w C:\Easy Worship
2009-04-21 04:12 . 2009-04-21 04:12 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-17 01:46 . 2009-04-17 01:46 -------- d-----w C:\HIjack This
2009-04-17 01:46 . 2009-04-17 01:46 -------- d-----w C:\New Folder
2009-04-16 11:34 . 2009-04-16 11:34 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Identities
2009-04-16 04:58 . 2009-04-16 04:58 -------- d-----w c:\program files\Safer Networking
2009-04-16 04:56 . 2009-04-16 04:56 -------- d-----w c:\program files\Panda Security
2009-04-16 04:41 . 2009-04-16 04:41 -------- d-----w c:\documents and settings\All Users\Application Data\Geek Squad
2009-04-16 04:26 . 2009-02-20 18:09 63488 ------w c:\windows\system32\dllcache\icardie.dll
2009-04-16 04:26 . 2009-02-20 18:09 268288 ------w c:\windows\system32\dllcache\iertutil.dll
2009-04-16 04:26 . 2009-02-20 10:20 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-04-16 04:26 . 2009-02-20 18:09 52224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-16 04:26 . 2009-02-20 18:09 459264 ------w c:\windows\system32\dllcache\msfeeds.dll
2009-04-16 04:26 . 2008-07-09 14:25 2455488 ------w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-16 04:26 . 2009-02-20 18:09 383488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-16 04:26 . 2009-02-20 18:09 6066176 ------w c:\windows\system32\dllcache\ieframe.dll
2009-04-16 04:22 . 2009-04-16 04:29 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 04:22 . 2009-04-16 04:35 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-16 04:15 . 2009-04-16 04:15 -------- d-----w C:\Deckard
2009-04-16 01:04 . 2009-04-16 01:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-16 00:57 . 2009-04-16 01:00 -------- d-----w c:\documents and settings\HP_Administrator\.SunDownloadManager
2009-04-15 12:05 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-15 06:11 . 2009-04-22 06:11 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-15 06:11 . 2009-04-22 06:12 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-15 06:10 . 2009-04-15 06:10 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-15 06:10 . 2009-04-15 06:10 -------- d-----w c:\program files\Lavasoft
2009-04-15 06:10 . 2009-04-15 06:11 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-15 06:05 . 2009-04-15 06:05 -------- d-----w c:\program files\CCleaner
2009-04-08 06:13 . 2009-04-12 05:36 -------- d-----w C:\church flash
2009-04-05 04:07 . 2009-04-05 04:20 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-05 04:07 . 2009-04-05 04:20 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-05 04:06 . 2009-05-03 20:11 3508768 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-05 04:06 . 2009-05-03 20:11 639008 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-05 04:06 . 2009-04-05 04:06 -------- d-----w c:\program files\Kaspersky Lab
2009-04-05 04:06 . 2009-05-03 20:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-05 03:47 . 2009-04-05 03:47 -------- d-----w c:\documents and settings\HP_Administrator\DoctorWeb
2009-04-04 14:21 . 2009-04-04 14:25 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\ImgBurn
2009-04-04 14:15 . 2009-04-04 14:15 -------- d-----w c:\program files\ImgBurn
2009-04-04 06:40 . 2009-05-03 12:53 -------- d-----w C:\temp
2009-04-04 05:14 . 2009-04-04 05:14 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-04 05:14 . 2009-01-14 21:11 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 05:14 . 2009-01-14 21:11 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 05:14 . 2009-04-04 05:14 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 05:14 . 2009-04-04 05:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-04 03:38 . 2009-04-04 03:38 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Sonic
2009-04-04 03:38 . 2009-04-04 03:38 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Leadertech
2009-04-04 00:55 . 2009-04-04 00:55 -------- d-----w C:\!FixIEDef
2009-04-04 00:16 . 2009-04-04 00:16 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-04 00:15 . 2009-04-04 00:15 -------- d-----w c:\program files\Common Files\iS3
2009-04-04 00:15 . 2009-04-04 00:59 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 20:12 . 2009-04-21 04:12 882 ----a-w c:\windows\Tasks\GoogleUpdateTaskMachine.job
2009-05-03 20:12 . 2005-06-07 13:57 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 20:11 . 2009-04-05 04:06 4312 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-03 20:11 . 2009-04-05 04:06 32684 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-01 06:11 . 2009-03-08 21:21 -------- d-----w c:\program files\CoffeeCup Software
2009-04-29 06:11 . 2009-04-15 06:12 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-22 20:28 . 2009-03-05 01:21 -------- d-----w c:\program files\Google
2009-04-16 01:04 . 2009-03-05 00:30 -------- d-----w c:\program files\Java
2009-04-05 04:20 . 2008-01-29 23:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-01 04:44 . 2009-04-01 04:44 -------- d-----w c:\program files\Google Hacks
2009-03-31 05:13 . 2009-03-31 05:13 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-31 05:11 . 2009-03-07 07:35 -------- d-----w c:\program files\Sony
2009-03-31 05:10 . 2009-03-07 07:28 -------- d-----w c:\program files\Sony Setup
2009-03-28 04:09 . 2009-03-08 03:06 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-22 02:51 . 2009-03-22 02:51 -------- d-----w c:\program files\Common Files\Borland Shared
2009-03-22 02:51 . 2009-03-22 02:51 -------- d-----w c:\program files\Softouch
2009-03-21 02:38 . 2009-03-06 16:27 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2009-03-20 14:50 . 2009-03-20 14:50 -------- d-----w c:\program files\Coupons
2009-03-12 00:10 . 2009-03-12 00:10 -------- d-----w c:\program files\Yahoo!
2009-03-10 02:17 . 2009-03-10 02:17 -------- d-----w c:\program files\Lavalys
2009-03-08 21:22 . 2009-03-05 00:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 05:41 . 2009-03-07 07:51 10 ----a-w c:\windows\popcinfo.dat
2009-03-07 08:06 . 2009-03-07 08:06 0 ----a-w c:\windows\nsreg.dat
2009-03-07 08:06 . 2009-03-07 08:06 -------- d-----w c:\program files\Softland
2009-03-07 08:03 . 2009-03-05 01:05 -------- d-----w c:\program files\Microsoft Works
2009-03-07 07:59 . 2009-03-07 07:59 -------- d-----w c:\program files\The Game Creators
2009-03-07 07:50 . 2009-03-07 07:50 -------- d-----w c:\program files\GameHouse
2009-03-07 07:50 . 2009-03-07 07:50 -------- d-----w c:\program files\Bejeweled 2 Deluxe
2009-03-07 07:50 . 2009-03-07 07:50 720896 ----a-w c:\windows\iun6002ev.exe
2009-03-07 07:46 . 2009-03-07 07:46 -------- d-----w c:\program files\DVD Shrink
2009-03-07 07:43 . 2009-03-07 07:41 -------- d-----w c:\program files\DVDFab 5
2009-03-07 07:41 . 2009-03-07 07:41 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-07 07:41 . 2009-03-07 07:41 47360 ----a-w c:\documents and settings\HP_Administrator\Application Data\pcouffin.sys
2009-03-07 07:35 . 2009-03-07 07:35 -------- d-----w c:\program files\Vstplugins
2009-03-07 07:26 . 2009-03-07 07:23 -------- d-----w c:\program files\Common Files\Ahead
2009-03-07 07:23 . 2009-03-07 07:23 -------- d-----w c:\program files\Nero
2009-03-07 07:18 . 2009-03-07 07:18 -------- d-----w c:\program files\Error Repair Professional
2009-03-07 07:16 . 2009-03-07 07:16 -------- d-----w c:\program files\Audacity
2009-03-07 05:38 . 2009-03-07 05:38 86816 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-07 05:38 . 2009-03-05 00:50 112942 ----a-w c:\windows\hpoins07.dat
2009-03-07 05:29 . 2009-03-05 01:03 -------- d-----w c:\program files\Common Files\Adobe
2009-03-07 05:22 . 2009-03-07 05:22 -------- d-----w c:\program files\Microsoft.NET
2009-03-07 04:19 . 2009-03-07 04:19 -------- d-----w c:\program files\VRanger
2009-03-07 04:18 . 2009-03-05 01:07 -------- d-----w c:\program files\QuickTime
2009-03-07 04:17 . 2009-03-05 01:18 -------- d-----w c:\program files\Easy Internet signup
2009-03-07 04:16 . 2009-03-05 01:11 -------- d-----w c:\program files\Quicken
2009-03-07 03:43 . 2009-03-07 03:43 -------- d-----w c:\program files\Toddler Keys
2009-03-07 01:32 . 2009-03-07 01:32 -------- d-----w c:\program files\oZone3D
2009-03-06 16:29 . 2009-03-06 16:29 1801 --sha-r c:\windows\system32\drivers\103C_HP_CPC_ED895AA-ABA a1210n_YC_0Pavi_QCNH537_E54NAsyMPC1_48_IAmberine M_SASUSTek Computer INC._V1.03_B3.15_T070125_WXP2_L409_M3071_J500_7AMD_8Athlon 64_92.19_#090305_N10EC8139_Z_G.MRK
2009-03-05 01:31 . 2009-03-05 01:02 -------- d-----w c:\program files\Hewlett-Packard
2009-03-05 01:17 . 2009-03-05 01:17 -------- d-----w c:\program files\PC-Doctor for DOS
2009-03-05 01:16 . 2004-11-17 18:31 92191 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-05 01:16 . 2009-03-05 01:16 61440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-03-05 01:16 . 2009-03-05 01:16 45056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-03-05 01:16 . 2009-03-05 01:16 44032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-03-05 01:16 . 2009-03-05 01:16 40960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-03-05 01:16 . 2009-03-05 01:16 32768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-03-05 01:16 . 2009-03-05 01:16 32768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-03-05 01:16 . 2009-03-05 01:16 287310 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection.dll
2009-03-05 01:16 . 2009-03-05 01:16 163840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-03-05 01:14 . 2009-03-05 01:14 118842 ----a-r c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
2009-03-05 01:14 . 2009-03-05 01:14 -------- d-----w c:\program files\Updates from HP
2009-03-05 01:13 . 2009-03-05 01:13 14289 ----a-w c:\windows\system32\CHODDI.SYS
2009-03-05 01:10 . 2009-03-05 01:09 -------- d-----w c:\program files\muvee Technologies
2009-03-05 01:10 . 2009-03-05 01:10 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-03-05 01:09 . 2009-03-05 00:39 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-05 01:07 . 2009-03-05 01:07 -------- d-----w c:\program files\iTunes
2009-03-05 01:07 . 2009-03-05 01:07 -------- d-----w c:\program files\iPod
2009-03-05 01:03 . 2009-03-05 01:03 -------- d-----w c:\program files\IntelliMover Data Transfer Demo
2009-03-05 01:02 . 2009-03-05 01:02 -------- d-----w c:\program files\Common Files\InterVideo
2009-03-05 01:02 . 2009-03-05 01:02 -------- d-----w c:\program files\InterVideo
2009-03-05 01:01 . 2009-03-05 01:01 -------- d-----w c:\program files\Common Files\TiVo Shared
2009-03-05 01:01 . 2009-03-05 00:56 -------- d-----w c:\program files\Sonic
2009-03-05 01:00 . 2009-03-06 16:26 136 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
2009-03-05 01:00 . 2009-03-05 01:00 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-03-05 01:00 . 2009-03-05 00:59 -------- d-----w c:\program files\EnglishOtto
2009-03-05 00:59 . 2009-03-05 00:57 -------- d-----w c:\program files\WildTangent
2009-03-05 00:56 . 2009-03-05 00:56 -------- d-----w c:\program files\Common Files\SureThing Shared
2009-03-05 00:56 . 2009-03-05 00:49 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-05 00:55 . 2009-03-05 00:55 -------- d-----w c:\program files\Common Files\xing shared
2009-03-05 00:55 . 2009-03-05 00:55 -------- d-----w c:\program files\Common Files\Real
2009-03-05 00:55 . 2009-03-05 00:55 -------- d-----w c:\program files\Real
2009-03-05 00:55 . 2009-03-05 00:55 -------- d-----w c:\program files\MSN Encarta Standard
2009-03-05 00:51 . 2009-03-05 00:51 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-05 00:50 . 2009-03-05 00:45 80418 ----a-w c:\windows\HPHins08.dat
2009-03-05 00:48 . 2009-03-05 00:48 -------- d-----w c:\program files\Common Files\HP
2009-03-05 00:46 . 2009-03-05 00:43 -------- d-----w c:\program files\HP
2009-03-05 00:45 . 2009-03-05 00:43 72881 ----a-w c:\windows\hpiins01.dat
2009-03-05 00:30 . 2009-03-05 00:30 -------- d-----w c:\program files\Common Files\Java
2009-03-03 00:18 . 2009-03-04 17:02 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-03-04 09:56 78336 ------w c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} ----

2009-04-15 06:10 . 2009-04-15 06:10 90 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\instance.dat
2009-04-15 06:10 . 2009-04-15 06:10 497 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.dat
2009-04-15 06:10 . 2009-04-15 06:10 9 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.lan
2009-04-15 06:10 . 2009-04-15 06:10 9262 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.par
2009-04-15 06:10 . 2009-03-12 08:17 578782 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\mia.lib
2009-04-15 06:10 . 2009-03-12 08:17 5115615 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.res
2009-04-15 06:10 . 2009-03-12 08:17 1802240 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.msi
2009-04-15 06:10 . 2009-03-12 08:17 2902048 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

---- Directory of c:\documents and settings\HP_Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150000} ----

2009-03-06 16:27 . 2009-03-05 00:30 3584 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150000}\1033.MST
2009-03-06 16:27 . 2009-03-05 00:30 10331648 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150000}\J2SE Runtime Environment 5.0.msi


((((((((((((((((((((((((((((( SnapShot@2009-05-03_18.51.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 20:13 . 2009-05-03 20:13 16384 c:\windows\temp\Perflib_Perfdata_528.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-11 59392]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-05 180269]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-04-05 206088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-22 516440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-16 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-25 1630208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-7 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 gupdate1c9c2375963bece;Google Update Service (gupdate1c9c2375963bece);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-21 133104]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-05 33808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-22 64160]
S1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-22 953168]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-14 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 06:11]

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-21 04:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://youtube.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\u3b95r1m.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\u3b95r1m.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 16:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1432)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\HPZipm12.exe
c:\hp\KBD\kbd.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-03 16:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 20:19
ComboFix2.txt 2009-05-03 18:53
ComboFix3.txt 2009-04-16 01:12

Pre-Run: 238,334,033,920 bytes free
Post-Run: 238,316,609,536 bytes free

421

______________________________________________________________________________________________________


GooredFix v1.92 by jpshortstuff
Log created at 16:20 on 03/05/2009 running Option #1 (HP_Administrator)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{37AAC096-632B-40FD-92E8-6A8830391540}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"



______________________________________________________________________________________________________


Malwarebytes' Anti-Malware 1.36
Database version: 2071
Windows 5.1.2600 Service Pack 2

5/3/2009 4:53:01 PM
mbam-log-2009-05-03 (16-52-48).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 182466
Time elapsed: 29 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Hijackthis\backups\backup-20090403-191155-691.dll (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vadibuvo.dll.tmp.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP77\A0011942.dll (Trojan.Vundo) -> No action taken.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 03 May 2009 - 05:17 PM

Hello again.

MBAM shows "No action take", please re-run a quick scan and when prompted please uncheck the following lines if it detects them.

C:\Qoobox\Quarantine\C\WINDOWS\system32\vadibuvo.dll.tmp.vir
C:\System Volume Information\_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP77\A0011942.dll


You can let it quarantine anything else. If they are already quarantined then don't worry about it.

Now, do the following.

Run GooredFix using Option2 (Removal)

Please download GooredFix and save it to your Desktop.
Alternative Download Mirror #2

Please make sure all instances of Firefox are closed at this point before proceeding.
  • Please double-click Goored.exe on your Desktop to run it.
  • A window will appear, please Select 2. (Fix Goored) by typing 2 and pressing Enter.
  • Type Y at the prompt and press Enter. The removal process will begin
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop (Goored.txt)

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Re-run DDS and post back with both logs.

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 joshrwtn

joshrwtn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 03 May 2009 - 09:27 PM

OK I've done as requested, but it wouldn't let me run the Kaspersky scanner, as I run Kaspersky 2009 as my internet security. I am posting the gooredlog below. Is there anything I can do with my Kaspersky to give you a log? Thank you, JOSH

GooredFix v1.92 by jpshortstuff
Log created at 22:20 on 03/05/2009 running Option #2 (HP_Administrator)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{37AAC096-632B-40FD-92E8-6A8830391540}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 04 May 2009 - 02:23 PM

Hello.

Run this online scan instead.

Run ESET Online Scan
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start. If you see a "Security Warning" that asks if you want to install and run a file called "OnlineScanner.cab", click Yes.
  • Click Start. The online scanner will now prepare itself for running on your pc.
  • To do a full-scan, tick: Remove found threats and Scan potentially unwanted applications.
  • Press Scan. The Onlinescan will now start and scan your computer. Please be patient as this a while.
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window.
  • Click Start, then Run.... The the box that appears type with the quotes:
    "C:\Program Files\EsetOnlineScanner\log.txt"
  • The scan results will now open in Notepad
  • Click into the text area, right-click and chose select all. Right-click again and chose Copy.
  • Post back with the log.txt in your next reply.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Reboot your computer once you posted the log to me and let me know if you still have the redirects, should be gone now :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 joshrwtn

joshrwtn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 05 May 2009 - 07:40 AM

Hello, thank you for all of your advice. I am not noticing any redirects yet. I am enclosing the ESET log as you requested. If there is anything else I need to do, please let me know. Again I thank you for all of your help!!!!!! JOSH

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4052 (20090504)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a31c6bc727cece438a2cdb4b6aa764b0
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-05 05:55:11
# local_time=2009-05-05 01:55:11 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=839052
# found=0
# scan_time=5229

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 05 May 2009 - 03:22 PM

Hello again.

Yes, there's one last thing I need.

Please re-run DDS and post back with a new set of logs (attach included as well).

If those logs looks good, then we can cleanup next post and give you some prevention tips :thumbup2:

With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 joshrwtn

joshrwtn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 06 May 2009 - 06:06 PM

Thank you for your help so far. The search engines have not been redirecting anymore, but now I'm having another issue, not sure if it's related or not. When I try to do my Windows updates I get the following error message (Error number: 0x8024D007]
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
) Anyway, I'm not sure if that's something you can help with or not. I am posting and attaching the requested DDS files, so let me know what to do next. Thanks again, JOSH


DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 18:57:14.17 on Wed 05/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2383 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\ChozenOne\port apps\Program Files\KeePassPortable\KeePassPortable.exe
G:\ChozenOne\port apps\Program Files\KeePassPortable\App\keepass\keepass.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://youtube.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.16.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\icoset\adjust.bat seticon
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.16.0\gears.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238546702375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241571259296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\u3b95r1m.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\u3b95r1m.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-15 64160]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-4-5 213520]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2009-3-7 8576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 206088]
S2 gupdate1c9c2375963bece;Google Update Service (gupdate1c9c2375963bece);c:\program files\google\update\GoogleUpdate.exe [2009-4-21 133104]

=============== Created Last 30 ================

2009-05-05 20:27 <DIR> --d----- C:\05ca2c510467bbc97a7d7468e717
2009-05-04 22:04 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-04-24 00:21 <DIR> --d----- c:\program files\VASST
2009-04-24 00:14 6,724,425 a------- C:\picture in picture.flv
2009-04-23 23:31 3,037,037 a------- C:\chroma screen.flv
2009-04-22 23:03 857,257 a------- C:\CelticSilhouette.flv
2009-04-22 23:03 927,150 a------- C:\CrownThornsSilhouette.flv
2009-04-22 23:02 7,334,750 a------- C:\ChristmasArtwork.flv
2009-04-22 23:02 1,167,727 a------- C:\HandsTogether.flv
2009-04-22 23:02 632,832 a------- C:\SandFootprints.flv
2009-04-22 23:01 1,720,367 a------- C:\WorshipFlourish.flv
2009-04-22 23:01 1,289,581 a------- C:\StarTree.flv
2009-04-22 22:58 1,151,848 a------- C:\CrossVines2.flv
2009-04-22 22:58 873,956 a------- C:\MaryBaby.flv
2009-04-22 22:57 1,291,989 a------- C:\TreeCutOut.flv
2009-04-22 22:56 590,816 a------- C:\Fish.flv
2009-04-22 22:55 444,574 a------- C:\FallsClose.flv
2009-04-21 23:02 45,633,241 a------- C:\ferris wheel.mp4
2009-04-21 01:06 <DIR> --d----- C:\Easy Worship
2009-04-16 21:46 <DIR> --d----- C:\HIjack This
2009-04-16 21:46 <DIR> --d----- C:\New Folder
2009-04-16 00:58 <DIR> --d----- c:\program files\Safer Networking
2009-04-16 00:56 <DIR> --d----- c:\program files\Panda Security
2009-04-16 00:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Geek Squad
2009-04-16 00:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-16 00:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-16 00:15 <DIR> --d----- C:\Deckard
2009-04-15 21:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-15 21:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-15 20:57 <DIR> --d----- c:\documents and settings\hp_administrator\.SunDownloadManager
2009-04-15 08:05 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-15 02:11 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-15 02:10 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-15 02:10 <DIR> --d----- c:\program files\Lavasoft
2009-04-15 02:05 <DIR> --d----- c:\program files\CCleaner
2009-04-14 23:54 <DIR> a-dshr-- C:\cmdcons
2009-04-12 00:40 10,053,599 a------- C:\addicted.flv
2009-04-08 02:13 <DIR> --d----- C:\church flash
2009-04-06 22:57 456,016 a------- C:\NightclubInterior.mp3

==================== Find3M ====================

2009-05-05 20:31 3,508,768 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-05 20:31 647,200 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-05 20:31 32,684 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-05 20:31 4,340 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 00:20 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-04-05 00:20 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-04-05 00:20 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-03-07 03:50 720,896 a------- c:\windows\iun6002ev.exe
2009-03-07 03:41 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2009-03-07 01:38 112,942 a------- c:\windows\hpoins07.dat
2009-03-04 21:16 92,191 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-04 21:16 287,310 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection.dll
2009-03-04 21:16 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-03-04 21:16 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-03-04 21:16 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-03-04 21:16 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-03-04 21:16 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-03-04 21:16 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-03-04 21:16 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-03-04 21:14 118,842 a----r-- c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
2009-03-04 21:13 14,289 a------- c:\windows\system32\CHODDI.SYS
2009-03-04 20:50 80,418 a------- c:\windows\HPHins08.dat
2009-03-04 20:45 72,881 a------- c:\windows\hpiins01.dat
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 18:57:45.82 ===============

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 07 May 2009 - 03:08 PM

Hello.

Please remove all other versions of Java except, Java 6 update 13. I believe you have no more symptoms?

Regarding WIndows update problem.

See if this tool fix it, if not then start a new topic over here as I have seen this issue and usually resolved in that forum. This forum is for malware removal only.

Other than that let's cleanup.

Please follow/read the steps below to remove the tools we used and for some more information. :step5:

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTCleanIt

We will now remove the tools we used during this fix.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed witht the cleanup process, click Yes. Restart your computer when prompted.
You may delete the tool after use.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 09 May 2009 - 02:36 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users