Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 Olestra

Olestra

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 25 January 2010 - 04:45 PM

Hi experts.

Over the last day I've been cleaning out a friends computer from viruses. I've cleaned out many of the viruses already using:
AVG 9 Free
UnhackMe 5.7
XDelBox 1.0 Beta

UnhackMe and XDelBox helped me detect and remove google redirect viruses on FireFox and Safari. However the google redirect virus still remains for IE.
There was a MyWebSearch toolbar installed and some of the registry keys were removed by UnHackMe and XDelBox. The Add/Remove instance still remains and it won't let me uninstall it because of a file that had been quarantined.
I'm not sure if this matters but I thought I'd mention it. If it doesn't matter, then please disregard it, I can figure out how to remove the toolbar files and remaining registry keys myself.

I'm currently at work and will have a look at the machine again in a few hours. I'm at the point where I'm afraid to run any more utilities without any further advice. Furthermore, when I ran those utilities, I had failed to turn off AVG and unplug the internet cable (I didn't know any better).
Please advise, thanks!

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:02 AM, on 1/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm069YYCA
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://webcam04.deg.net/activex/AMC.cab
O16 - DPF: {C333B6BA-1CEB-420B-A16C-E69F1C6956A0} (PNB_VBAuthentic.Authentic) - https://ibs.pnb.com.ph/download/Authentic/V...thentic-PNB.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 1: J-Track: Satellite Tracking - http://liftoff.msfc.nasa.gov/RealTime/JTrack/Desktop.html


--
End of file - 9413 bytes

---------------------------------------------------------------------------------------
Edit:
I have looked at other threads and followed some instructions from there.

GMER Log: which tells me zulccs service is red and dangerous

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-25 22:55:42
Windows 5.1.2600 Service Pack 3
Running: l1ce4dbp.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\kwaorfow.sys


---- Kernel code sections - GMER 1.0.15 ----

.pak2 C:\WINDOWS\system32\drivers\zulccs.sys entry point in ".pak2" section [0xBA70FCF4]
? C:\WINDOWS\system32\drivers\zulccs.sys A device attached to the system is not functioning.
PAGE Ntfs.sys BA54BE55 4 Bytes CALL 8A9EF159
? System32\DRIVERS\UnHackMeDrv.sys The system cannot find the path specified. !
? C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1596] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00376098
.text C:\WINDOWS\Explorer.EXE[1596] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003762C9
.text C:\WINDOWS\Explorer.EXE[1596] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 0037627A
.text C:\WINDOWS\Explorer.EXE[1596] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003760DE
.text C:\WINDOWS\Explorer.EXE[1596] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003762F0
.text C:\WINDOWS\Explorer.EXE[1596] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00376118
.text C:\WINDOWS\Explorer.EXE[1596] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003761EE
.text C:\WINDOWS\system32\taskmgr.exe[2032] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00376098
.text C:\WINDOWS\system32\taskmgr.exe[2032] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003762C9
.text C:\WINDOWS\system32\taskmgr.exe[2032] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 0037627A
.text C:\WINDOWS\system32\taskmgr.exe[2032] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003760DE
.text C:\WINDOWS\system32\taskmgr.exe[2032] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003762F0
.text C:\WINDOWS\system32\taskmgr.exe[2032] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00376118
.text C:\WINDOWS\system32\taskmgr.exe[2032] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003761EE
.text C:\Program Files\Safari\Safari.exe[2640] ws2_32.dll!closesocket 71AB3E2B 3 Bytes JMP 00365E11
.text C:\Program Files\Safari\Safari.exe[2640] ws2_32.dll!closesocket + 4 71AB3E2F 1 Byte [8E]
.text C:\Program Files\Safari\Safari.exe[2640] ws2_32.dll!send 71AB4C27 3 Bytes JMP 00365BEA
.text C:\Program Files\Safari\Safari.exe[2640] ws2_32.dll!send + 4 71AB4C2B 1 Byte [8E]
.text C:\Program Files\Safari\Safari.exe[2640] ws2_32.dll!WSARecv 71AB4CB5 3 Bytes JMP 00365D69
.text C:\Program Files\Safari\Safari.exe[2640] ws2_32.dll!WSARecv + 4 71AB4CB9 1 Byte [8E]
.text C:\Program Files\Safari\Safari.exe[2640] ws2_32.dll!recv 71AB676F 5 Bytes JMP 00365C5D
.text C:\Program Files\Safari\Safari.exe[2640] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00365CCF
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2724] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 003B6098
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2724] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003B62C9
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2724] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 003B627A
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2724] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003B60DE
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2724] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003B62F0
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2724] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 003B6118
.text C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe[2724] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003B61EE
.text C:\WINDOWS\system32\hphmon06.exe[2880] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00396098
.text C:\WINDOWS\system32\hphmon06.exe[2880] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003962C9
.text C:\WINDOWS\system32\hphmon06.exe[2880] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 0039627A
.text C:\WINDOWS\system32\hphmon06.exe[2880] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003960DE
.text C:\WINDOWS\system32\hphmon06.exe[2880] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003962F0
.text C:\WINDOWS\system32\hphmon06.exe[2880] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00396118
.text C:\WINDOWS\system32\hphmon06.exe[2880] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003961EE
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2888] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00376098
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2888] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003762C9
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2888] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 0037627A
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2888] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003760DE
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2888] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003762F0
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2888] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00376118
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe[2888] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003761EE
.text C:\WINDOWS\system32\ctfmon.exe[3148] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00386098
.text C:\WINDOWS\system32\ctfmon.exe[3148] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003862C9
.text C:\WINDOWS\system32\ctfmon.exe[3148] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 0038627A
.text C:\WINDOWS\system32\ctfmon.exe[3148] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003860DE
.text C:\WINDOWS\system32\ctfmon.exe[3148] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003862F0
.text C:\WINDOWS\system32\ctfmon.exe[3148] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00386118
.text C:\WINDOWS\system32\ctfmon.exe[3148] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003861EE
.text C:\Program Files\Messenger\msmsgs.exe[3196] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00396098
.text C:\Program Files\Messenger\msmsgs.exe[3196] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003962C9
.text C:\Program Files\Messenger\msmsgs.exe[3196] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 0039627A
.text C:\Program Files\Messenger\msmsgs.exe[3196] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003960DE
.text C:\Program Files\Messenger\msmsgs.exe[3196] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003962F0
.text C:\Program Files\Messenger\msmsgs.exe[3196] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00396118
.text C:\Program Files\Messenger\msmsgs.exe[3196] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003961EE
.text C:\cara\Jeff Tools\l1ce4dbp.exe[3392] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00386098
.text C:\cara\Jeff Tools\l1ce4dbp.exe[3392] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003862C9
.text C:\cara\Jeff Tools\l1ce4dbp.exe[3392] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 0038627A
.text C:\cara\Jeff Tools\l1ce4dbp.exe[3392] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003860DE
.text C:\cara\Jeff Tools\l1ce4dbp.exe[3392] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003862F0
.text C:\cara\Jeff Tools\l1ce4dbp.exe[3392] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00386118
.text C:\cara\Jeff Tools\l1ce4dbp.exe[3392] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003861EE
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3552] ntdll.dll!NtCreateKey 7C90D0EE 5 Bytes JMP 00366098
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3552] ntdll.dll!NtDeleteKey 7C90D24E 5 Bytes JMP 003662C9
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3552] ntdll.dll!NtDeleteValueKey 7C90D26E 5 Bytes JMP 0036627A
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3552] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 003660DE
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3552] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 003662F0
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3552] ntdll.dll!NtQueryValueKey 7C90D96E 5 Bytes JMP 00366118
.text C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe[3552] ntdll.dll!NtSetValueKey 7C90DDCE 5 Bytes JMP 003661EE

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A9FD808

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdePort0 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdePort1 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdePort2 sdcplh.sys (SDCPLH/Macrovision Europe Ltd)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sdcplh.sys (SDCPLH/Macrovision Europe Ltd)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs A6861400

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] zulccs <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\zulccs@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\zulccs@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zulccs@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zulccs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\zulccs@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\zulccs@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\zulccs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\zulccs@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Classes\CLSID\{F13B38F2-4869-5605-2D00-E9E5E3AF0FA8}\InprocServer32@ c:\Program Files\Common Files\Microsoft Shared\Shoebox\sbox7.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{F13B38F2-4869-5605-2D00-E9E5E3AF0FA8}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F13B38F2-4869-5605-2D00-E9E5E3AF0FA8}\ProgID@ Shoebox.ShoeboxThumbnail.7
Reg HKLM\SOFTWARE\Classes\CLSID\{F13B38F2-4869-5605-2D00-E9E5E3AF0FA8}\TypeLib@ {4F3F0212-7411-40c2-8983-18BE4ACFD83A}
Reg HKLM\SOFTWARE\Classes\CLSID\{F13B38F2-4869-5605-2D00-E9E5E3AF0FA8}\VersionIndependentProgID@ Shoebox.ShoeboxThumbnail

---- Files - GMER 1.0.15 ----

File C:\temp\XDelScan\quarantine\kbdsock.dll 3072 bytes executable
File C:\WINDOWS\system32\kbdsock.dll 3072 bytes executable
File C:\WINDOWS\system32\mshlps.dll 3072 bytes executable
File C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\config 0 bytes
File C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\config\ServerSettings.xml 561 bytes
File C:\Documents and Settings\All Users\Application Data\Motive\Acme\plugin\config 0 bytes
File C:\Documents and Settings\All Users\Application Data\Motive\Acme\plugin\config\LocalSiteOutline.xml 170314 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Motive\Acme\plugin\config 0 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Motive\Acme\plugin\config\Contact.xml 300 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf 0 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\advsysinfo.xml 10580 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Customization.properties 683 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\CustomizationHighContrast.properties 630 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\DefaultStyles.css 3967 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\errorcodes.txt 4609 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\filter.xml 2108 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\FriendlyNames.properties 2634 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\HighContrastStyles.css 3967 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\pcd4japi.props 25542 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\pcdrlog4j.props 1234 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\policy.all 62 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources 0 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp.properties 1265 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_de.properties 1273 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_es.properties 1317 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_it.properties 1236 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_ja.properties 2350 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_ko.properties 1874 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_nl.properties 1185 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_pt.properties 1333 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_zh.properties 1499 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_zh_HK.properties 1574 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_zh_MO.properties 1572 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_zh_TW.properties 1578 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\hp_fr.properties 1393 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\new.properties 214 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr.properties 28430 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_de.properties 29879 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_en.properties 28430 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_es.properties 31799 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_fr.properties 32602 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_it.properties 29624 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_ja.properties 48716 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_ko.properties 42005 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_nl.properties 28231 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_pt.properties 31715 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_zh.properties 36108 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_zh_HK.properties 34699 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_zh_MO.properties 34701 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Resources\pcdr_zh_TW.properties 36632 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\test.xml 15552 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Tools.ini 4349 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\Tools9xME.ini 4417 bytes
File C:\Program Files\PC-Doctor for Windows\Java\conf\ToolsNT.ini 2437 bytes
File C:\Program Files\QuickTax Tracker\inet\common\alerts\config 0 bytes
File C:\Program Files\QuickTax Tracker\inet\common\alerts\config\index.ini 127 bytes
File C:\Program Files\VideoLAN\VLC\locale\co 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo 667 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES 0 bytes
File C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo 355450 bytes
File C:\Program Files\Help and Support Additions\HPQ\XPXWWPP5\plugin\config 0 bytes
File C:\Program Files\Help and Support Additions\HPQ\XPXWWPP5\plugin\config\contentversion.xml 161 bytes
File C:\Program Files\Help and Support Additions\HPQ\XPXWWPP5\plugin\config\ServerSettings.xml 561 bytes
File C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\conf 0 bytes
File C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\conf\catalina.policy 6689 bytes
File C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\conf\server-noexamples.xml.config 11819 bytes
File C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\conf\server.xml 12024 bytes
File C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\conf\tomcat-users.xml 121 bytes
File C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\conf\userKey.txt 34 bytes
File C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\conf\web.xml 30821 bytes

---- EOF - GMER 1.0.15 ----

---------------------------------------------------------------------------------------

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys sdcplh.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

---------------------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Owner at 18:41:46.87 on Mon 01/25/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1188 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.ca/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [HPLJ Config] c:\program files\hewlett-packard\hp laserjet 1010 series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
mRun: [AutoTBar] c:\program files\hp\digital imaging\bin\AUTOTBAR.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm069YYCA
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://webcam04.deg.net/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C333B6BA-1CEB-420B-A16C-E69F1C6956A0} - hxxps://ibs.pnb.com.ph/download/Authentic/VBAuthentic-PNB.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} - hxxp://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\b0qqgviv.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-21 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-21 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-21 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-1-21 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-21 285392]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2006-11-28 2368]

=============== Created Last 30 ================

2010-01-26 01:33:57 0 d-----w- c:\temp\DDS LOGS
2010-01-25 06:43:04 0 d-----w- c:\program files\Trend Micro
2010-01-25 06:41:51 0 d-----w- c:\temp\TMRBLog
2010-01-25 06:33:38 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-25 06:33:21 2457600 ----a-w- c:\temp\RootkitBuster.exe
2010-01-25 06:32:35 1074232 ----a-w- c:\temp\RootkitBuster_2.80.1077.zip
2010-01-25 05:52:08 0 d-----w- c:\temp\XDelScan
2010-01-25 04:26:53 2 --shatr- c:\windows\winstart.bat
2010-01-25 02:32:59 71900 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-24 22:35:04 0 d-----w- c:\windows\Options
2010-01-24 22:24:30 0 ----a-w- c:\windows\system32\commonpriv.log.lock
2010-01-24 15:04:19 24576 ----a-w- c:\windows\system32\userinit.exe
2010-01-24 06:09:04 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-24 06:09:04 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-01-24 06:08:58 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-01-24 06:08:58 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-01-24 06:08:02 20992 ----a-w- c:\windows\system32\dshowext.ax
2010-01-24 06:08:02 20992 ----a-w- c:\windows\system32\dllcache\dshowext.ax
2010-01-22 01:56:51 0 d--h--w- C:\$AVG
2010-01-22 01:56:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 01:56:37 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 01:56:31 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 01:56:15 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-22 01:56:05 0 d-----w- c:\program files\AVG
2010-01-22 01:56:03 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-22 01:41:14 225 ----a-w- c:\windows\system32\uses32.dat
2010-01-22 01:41:14 100 ----a-w- c:\windows\system32\flags.ini
2010-01-14 06:19:42 756736 ----a-w- c:\windows\system32\drivers\zulccs.sys
2010-01-13 03:50:44 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 18:11:33 0 ----a-w- c:\windows\Plan.INI

==================== Find3M ====================

2010-01-24 23:38:53 3645 ----a-w- c:\windows\viassary-hp.reg
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ----a-w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2005-08-11 02:49:59 0 -csha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 18:42:02.54 ===============


I also have the Attach.txt from DDS but will post it if required.
My apologies if this is considered bumping.
Thanks in advance!

Edited by Olestra, 26 January 2010 - 01:33 AM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:12 AM

Posted 01 February 2010 - 12:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:12 AM

Posted 06 February 2010 - 04:37 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users