Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gala Search takeover problem


  • This topic is locked This topic is locked
21 replies to this topic

#1 bhhmlh

bhhmlh

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 18 February 2010 - 11:33 AM

Remove the Antivirus Security popups with Malware but still have a problem when IE searches. Goes to Gala Search instead of Google. I have run the programs as directed and will attach. Thank you for your help.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Administrator at 19:29:24.12 on Wed 02/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1206 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Anti-Virus - Verizon Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Security Antivirus *On-access scanning enabled* (Updated) {7C475694-C73A-4D03-A4E8-522EE93CA413}
FW: Security Antivirus *enabled* {E7D6F0FB-ED71-4BCE-8A4F-035A08DF8A2C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\2A3L6PEA\Defogger[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://verizon.yahoo.com
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [WD Anywhere Backup] c:\program files\wd\wd anywhere backup\MemeoLauncher2.exe --silent
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SetDefPrt] c:\program files\brother\brmfl06a\BrStDvPt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe nogui
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdback~1.lnk - c:\program files\my book\wd backup\uBBMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: trymedia.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://www.toyota.com/fjcruiser/features.html?noreloadredir
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139364777312
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {77E55ACB-5CE4-44AD-8C8E-5F36F832BD24} - hxxp://www.gamebonus.com/dngame/gbblasternoid.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxps://www.verizon.net/WhatsNext/CheckMyPc/MotivePreQual.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {C8A20C23-2655-4F44-B221-7F6249198FD9} - hxxp://www.gamebonus.com/dngame/gb5_5Poker.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D71FF497-8E43-4D53-BDE8-C497F6A39A28} - hxxp://www.gamebonus.com/dngame/gbsubpatrol.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-14 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-14 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-14 360584]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2006-2-6 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2006-2-6 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2006-2-6 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2006-2-6 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2006-7-31 26787]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-2-4 317440]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-9 285392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2009-4-17 25824]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2006-2-6 108360]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\isafe.exe --> c:\program files\yahoo!\antivirus\ISafe.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-30 135664]
S2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\vetmsg.exe --> c:\program files\yahoo!\antivirus\VetMsg.exe [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

=============== Created Last 30 ================

2010-02-18 03:26:08 0 ----a-w- c:\documents and settings\compaq_administrator\defogger_reenable
2010-02-10 13:48:03 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2010-02-10 13:47:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 13:47:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-10 13:47:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 13:47:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 03:51:46 118 ----a-w- c:\windows\system32\MRT.INI
2010-02-10 03:31:00 0 d--h--w- C:\$AVG
2010-02-10 03:30:33 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-10 02:52:46 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SAFKXJJPV
2010-02-10 02:50:22 0 d-sh--w- c:\docume~1\alluse~1\applic~1\6559411
2010-02-05 16:12:42 19521 ----a-w- c:\windows\hpqins13.dat

==================== Find3M ====================

2010-02-10 03:30:54 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-10 03:30:53 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-10 03:30:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-14 19:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2006-04-02 20:24:06 22 --sha-w- c:\windows\sminst\HPCD.sys
2008-08-02 01:42:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080120080802\index.dat

============= FINISH: 19:30:15.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:36 AM

Posted 19 February 2010 - 03:43 AM

Hi bhhmlh,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

I see from the log you are using a registry cleaner. Here at BC we do not recommend using registry cleaners as it might irreversibly damage your computer.

We are going to fix the search redirect and also check the whole system.
  1. Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Please open Malwarebytes' Anti-Malware.
    • Go to the "More Tools" tab and click on the "Run Tool" button.
    • Browse to the location of the file(s) to remove using the drop down box next to "Look in:".
    • Copy and paste the following in the File name box:

      C:\WINDOWS\system32\drivers\etc\hosts

    • When you find the file(s), click "Open".
    • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
    • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.

  4. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 bhhmlh

bhhmlh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 19 February 2010 - 09:56 PM

I agree. No changes. Below are the logs you requested. Thanks again for your help.


ComboFix 10-02-19.03 - Compaq_Administrator 02/19/2010 17:46:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1228 [GMT -8:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: Anti-Virus - Verizon Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Security Antivirus *On-access scanning enabled* (Updated) {7C475694-C73A-4D03-A4E8-522EE93CA413}
FW: Security Antivirus *enabled* {E7D6F0FB-ED71-4BCE-8A4F-035A08DF8A2C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Compaq_Administrator\Local Settings\Temp\IadHide5.dll
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\ps2.bat
D:\Autorun.inf
K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-10 13:48 . 2010-02-10 13:48 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2010-02-10 13:47 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 13:47 . 2010-02-10 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-10 13:47 . 2010-02-10 13:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 13:47 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 04:26 . 2010-02-10 04:26 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Threat Expert
2010-02-10 03:31 . 2010-02-10 03:34 -------- d-----w- C:\$AVG
2010-02-10 03:30 . 2010-02-10 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-10 02:52 . 2010-02-10 02:52 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SAFKXJJPV
2010-02-10 02:50 . 2010-02-10 02:52 -------- d-sh--w- c:\documents and settings\All Users\Application Data\6559411
2010-02-05 16:12 . 2010-02-05 16:34 19521 ----a-w- c:\windows\hpqins13.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 02:11 . 2006-10-14 21:21 -------- d-----w- c:\program files\Viewpoint
2010-02-20 00:57 . 2006-10-14 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-20 00:05 . 2007-11-09 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-16 02:39 . 2007-05-13 04:24 57 ---h--w- c:\windows\popcreg.dat
2010-02-16 02:39 . 2007-05-13 04:24 124 ----a-w- c:\windows\popcinfot.dat
2010-02-16 02:39 . 2007-05-13 04:28 61 ----a-w- c:\windows\popcinfo.dat
2010-02-10 15:21 . 2007-06-17 15:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-10 03:30 . 2008-12-15 05:46 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-10 03:30 . 2008-12-15 05:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-10 03:30 . 2008-12-15 05:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-10 03:30 . 2008-12-15 05:46 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-10 03:30 . 2008-12-15 05:46 -------- d-----w- c:\program files\AVG
2010-02-10 03:24 . 2006-02-07 04:15 -------- d-----w- c:\program files\Yahoo!
2010-02-10 03:18 . 2007-12-24 07:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-10 03:18 . 2005-11-29 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-05 16:36 . 2005-11-29 09:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 11:18 . 2009-06-20 05:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 19:12 . 2009-10-03 04:46 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 02:11 . 2006-02-23 16:53 -------- d-----w- c:\program files\Watchtower
2009-12-31 16:50 . 2004-08-10 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 22:14 . 2005-11-29 09:18 -------- d-----w- c:\program files\Google
2009-12-23 21:29 . 2009-02-05 03:46 -------- d-----w- c:\program files\The Scruffs
2009-12-21 19:14 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 12:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-10 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-11 02:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-10 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-11 02:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-08-10 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2004-08-11 02:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2004-08-11 02:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-10 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2006-04-02 20:24 . 2006-04-02 20:24 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21608B66-026F-4DCB-9244-0DACA328DCED}]
2009-11-12 03:10 274944 ----a-w- c:\program files\PlaySushi\PSText.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-17 430080]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2009-04-17 197856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-29 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-02 98304]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-31 1095256]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-13 113664]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-29 36903]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-2-3 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-10 03:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-21 00:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
2007-12-05 23:51 1885464 ----a-w- c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/14/2008 9:46 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/14/2008 9:46 PM 360584]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/4/2009 7:53 AM 317440]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/9/2010 7:30 PM 285392]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [4/17/2009 9:51 AM 25824]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/30/2009 2:14 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 15:12]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 22:14]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 22:14]

2010-02-19 c:\windows\Tasks\User_Feed_Synchronization-{BD8BAB6A-FC49-419E-B72F-DA9E9E4B80A0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
IE: {{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\PlaySushi\PSText.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: trymedia.com
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
HKLM-Run-YOP - c:\progra~1\Yahoo!\YOP\yop.exe
HKLM-Run-WD Button Manager - WDBtnMgr.exe
MSConfigStartUp-Uniblue SpyEraser - c:\program files\Uniblue\SpyEraser\SpyEraser.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 18:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1344)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1580)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(696)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\arservice.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\ARPWRMSG.EXE
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\ALCXMNTR.EXE
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
.
**************************************************************************
.
Completion time: 2010-02-19 18:29:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 02:29

Pre-Run: 58,658,369,536 bytes free
Post-Run: 68,589,686,784 bytes free

- - End Of File - - 162D6E209A085C0014F9BEFBF1A392A0


Malwarebytes' Anti-Malware 1.44
Database version: 3764
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 5:28:08 PM
mbam-log-2010-02-19 (17-28-08).txt

Scan type: Quick Scan
Objects scanned: 183604
Time elapsed: 28 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:36 AM

Posted 20 February 2010 - 08:46 AM

Well done. thumbup2.gif

  1. I see on the log the Coupon Printer for Windows is installed on your computer:
    This program is known to be bundled with adware/spyware.

    For more information please see this:
    A Closer Look at Coupons.com

    To uninstall Coupon Printer for Windows:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Coupon Printer for Windows

    Also delete the folders in bold (if present):

    C:\Program Files\Coupon
    C:\Program Files\Coupons

  2. You have Java 6 Update 17 and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7
    Java™ SE Runtime Environment 6 Update 1


  3. To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
      • Delete Files
      • View Applications
      • View Applets
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.

  4. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    SecCenter::
    AV: Security Antivirus *On-access scanning enabled* (Updated) {7C475694-C73A-4D03-A4E8-522EE93CA413}
    FW: Security Antivirus *enabled* {E7D6F0FB-ED71-4BCE-8A4F-035A08DF8A2C}
    DDS::
    Trusted Zone: trymedia.com
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
    Folder::
    c:\documents and settings\All Users\Application Data\SAFKXJJPV
    c:\documents and settings\All Users\Application Data\6559411
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

  5. Also tell me how is your computer running.



#5 bhhmlh

bhhmlh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 20 February 2010 - 10:59 AM

Deleted items that you listed. Copied script and put in Combofix. When it opened I got a warning box that ComboFix had detected the real time scanner to be active (antivirus: Security Antivirus). I though Malware had removed it but now I am not so sure.

How should I proceed?




#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:36 AM

Posted 20 February 2010 - 12:28 PM

Proceed, it is a registry leftover and I have included it in the script to be deleted. The next run of ComboFix (in case we needed it) will not detect that any more.

#7 bhhmlh

bhhmlh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 20 February 2010 - 07:02 PM

Computer is running normal. The google search still goes to gala, but the bing and yahoo searches are ok.

ComboFix 10-02-20.03 - Compaq_Administrator 02/20/2010 15:22:50.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1246 [GMT -8:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
AV: Anti-Virus - Verizon Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Application Data\6559411
c:\documents and settings\All Users\Application Data\6559411\11.mof
c:\documents and settings\All Users\Application Data\6559411\BackUp\Adobe Gamma Loader.lnk
c:\documents and settings\All Users\Application Data\6559411\BackUp\Compaq Connections.lnk
c:\documents and settings\All Users\Application Data\6559411\BackUp\HP Digital Imaging Monitor.lnk
c:\documents and settings\All Users\Application Data\6559411\BackUp\Microsoft Office.lnk
c:\documents and settings\All Users\Application Data\6559411\BackUp\WD Backup Monitor.lnk
c:\documents and settings\All Users\Application Data\6559411\SAV.ico
c:\documents and settings\All Users\Application Data\6559411\SAVSys\vd952342.bd
c:\documents and settings\All Users\Application Data\SAFKXJJPV
c:\documents and settings\All Users\Application Data\SAFKXJJPV\SAGHBPV.cfg
c:\documents and settings\Compaq_Administrator\Local Settings\temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-10 13:48 . 2010-02-10 13:48 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2010-02-10 13:47 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 13:47 . 2010-02-10 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-10 13:47 . 2010-02-10 13:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 13:47 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 04:26 . 2010-02-10 04:26 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Threat Expert
2010-02-10 03:31 . 2010-02-10 03:34 -------- d-----w- C:\$AVG
2010-02-10 03:30 . 2010-02-10 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-05 16:12 . 2010-02-05 16:34 19521 ----a-w- c:\windows\hpqins13.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 15:44 . 2005-11-29 08:37 -------- d-----w- c:\program files\Java
2010-02-20 02:11 . 2006-10-14 21:21 -------- d-----w- c:\program files\Viewpoint
2010-02-20 00:57 . 2006-10-14 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-20 00:05 . 2007-11-09 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-16 02:39 . 2007-05-13 04:24 57 ---h--w- c:\windows\popcreg.dat
2010-02-16 02:39 . 2007-05-13 04:24 124 ----a-w- c:\windows\popcinfot.dat
2010-02-16 02:39 . 2007-05-13 04:28 61 ----a-w- c:\windows\popcinfo.dat
2010-02-10 15:21 . 2007-06-17 15:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-10 03:30 . 2008-12-15 05:46 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-10 03:30 . 2008-12-15 05:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-10 03:30 . 2008-12-15 05:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-10 03:30 . 2008-12-15 05:46 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-10 03:30 . 2008-12-15 05:46 -------- d-----w- c:\program files\AVG
2010-02-10 03:24 . 2006-02-07 04:15 -------- d-----w- c:\program files\Yahoo!
2010-02-10 03:18 . 2007-12-24 07:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-10 03:18 . 2005-11-29 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-05 16:36 . 2005-11-29 09:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 11:18 . 2009-06-20 05:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 19:12 . 2009-10-03 04:46 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 02:11 . 2006-02-23 16:53 -------- d-----w- c:\program files\Watchtower
2009-12-31 16:50 . 2004-08-10 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 22:14 . 2005-11-29 09:18 -------- d-----w- c:\program files\Google
2009-12-23 21:29 . 2009-02-05 03:46 -------- d-----w- c:\program files\The Scruffs
2009-12-21 19:14 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 12:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-10 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-11 02:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-10 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-11 02:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-08-10 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2004-08-11 02:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2004-08-11 02:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-10 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2006-04-02 20:24 . 2006-04-02 20:24 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21608B66-026F-4DCB-9244-0DACA328DCED}]
2009-11-12 03:10 274944 ----a-w- c:\program files\PlaySushi\PSText.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-17 430080]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2009-04-17 197856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-29 180269]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-02 98304]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-31 1095256]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-13 113664]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-29 36903]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-2-3 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-10 03:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-21 00:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
2007-12-05 23:51 1885464 ----a-w- c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/14/2008 9:46 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/14/2008 9:46 PM 360584]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/4/2009 7:53 AM 317440]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/9/2010 7:30 PM 285392]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [4/17/2009 9:51 AM 25824]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/30/2009 2:14 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 15:12]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 22:14]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 22:14]

2010-02-20 c:\windows\Tasks\User_Feed_Synchronization-{BD8BAB6A-FC49-419E-B72F-DA9E9E4B80A0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
IE: {{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\PlaySushi\PSText.dll
LSP: c:\windows\system32\VetRedir.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 15:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1444)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1664)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3572)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\arservice.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\ARPWRMSG.EXE
c:\program files\DISC\DiscStreamHub.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe
c:\windows\ALCXMNTR.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
.
**************************************************************************
.
Completion time: 2010-02-20 15:55:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 23:54
ComboFix2.txt 2010-02-20 02:29

Pre-Run: 68,866,072,576 bytes free
Post-Run: 68,929,753,088 bytes free

- - End Of File - - FF44E19A6756A50F0F9D1E4AFC02DF19


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:36 AM

Posted 20 February 2010 - 07:30 PM

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c notepad C:\windows\system32\drivers\etc\hosts

A text file opens. Please post its content to your reply.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:36 AM

Posted 20 February 2010 - 08:07 PM

Please disregard previous post.
  1. I see PlaySushi is installed on your computer. This is known to be bundled with adware/spyware and is regarded as malware.
    Read more here.

    Please go to Aadd/remove programs and uninstall: PlaySushi

  2. Open notepad and copy/paste the text in the code box below into it:

    CODE
    Folder::
    c:\program files\PlaySushi
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21608B66-026F-4DCB-9244-0DACA328DCED}]
    DDS::
    mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

  3. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt






#10 bhhmlh

bhhmlh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 20 February 2010 - 10:06 PM

ComboFix 10-02-20.03 - Compaq_Administrator 02/20/2010 18:28:31.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1388 [GMT -8:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
AV: Anti-Virus - Verizon Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Administrator\Local Settings\temp\IadHide5.dll
c:\program files\PlaySushi
c:\program files\PlaySushi\icon.ico
c:\program files\PlaySushi\PSText.dll
c:\program files\PlaySushi\psuninst.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-10 13:48 . 2010-02-10 13:48 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2010-02-10 13:47 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 13:47 . 2010-02-10 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-10 13:47 . 2010-02-10 13:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 13:47 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 04:26 . 2010-02-10 04:26 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Threat Expert
2010-02-10 03:31 . 2010-02-10 03:34 -------- d-----w- C:\$AVG
2010-02-10 03:30 . 2010-02-10 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-05 16:12 . 2010-02-05 16:34 19521 ----a-w- c:\windows\hpqins13.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 02:20 . 2008-01-08 19:26 -------- d-----w- c:\program files\Uniblue
2010-02-21 01:06 . 2007-11-09 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-20 15:44 . 2005-11-29 08:37 -------- d-----w- c:\program files\Java
2010-02-20 02:11 . 2006-10-14 21:21 -------- d-----w- c:\program files\Viewpoint
2010-02-20 00:57 . 2006-10-14 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-16 02:39 . 2007-05-13 04:24 57 ---h--w- c:\windows\popcreg.dat
2010-02-16 02:39 . 2007-05-13 04:24 124 ----a-w- c:\windows\popcinfot.dat
2010-02-16 02:39 . 2007-05-13 04:28 61 ----a-w- c:\windows\popcinfo.dat
2010-02-10 15:21 . 2007-06-17 15:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-10 13:48 . 2010-02-10 13:48 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-10 03:30 . 2008-12-15 05:46 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-10 03:30 . 2008-12-15 05:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-10 03:30 . 2008-12-15 05:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-10 03:30 . 2008-12-15 05:46 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-10 03:30 . 2010-02-10 15:16 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-10 03:30 . 2010-02-10 15:16 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-10 03:30 . 2008-12-15 05:46 -------- d-----w- c:\program files\AVG
2010-02-10 03:24 . 2006-02-07 04:15 -------- d-----w- c:\program files\Yahoo!
2010-02-10 03:18 . 2007-12-24 07:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-10 03:18 . 2005-11-29 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-05 16:36 . 2005-11-29 09:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 11:18 . 2009-06-20 05:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 19:12 . 2009-10-03 04:46 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 02:11 . 2006-02-23 16:53 -------- d-----w- c:\program files\Watchtower
2009-12-31 16:50 . 2004-08-10 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 22:14 . 2005-11-29 09:18 -------- d-----w- c:\program files\Google
2009-12-23 21:29 . 2009-02-05 03:46 -------- d-----w- c:\program files\The Scruffs
2009-12-21 19:14 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 12:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-10 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-11 02:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-10 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-11 02:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-08-10 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2004-08-11 02:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2004-08-11 02:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-10 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2006-04-02 20:24 . 2006-04-02 20:24 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-17 430080]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2009-04-17 197856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-29 180269]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-27 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-02 98304]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-31 1095256]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-21 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-13 113664]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-29 36903]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-2-3 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-10 03:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-21 00:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/14/2008 9:46 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/14/2008 9:46 PM 360584]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/4/2009 7:53 AM 317440]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/9/2010 7:30 PM 285392]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [4/17/2009 9:51 AM 25824]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/30/2009 2:14 PM 135664]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 15:12]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 22:14]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 22:14]

2010-02-20 c:\windows\Tasks\User_Feed_Synchronization-{BD8BAB6A-FC49-419E-B72F-DA9E9E4B80A0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
LSP: c:\windows\system32\VetRedir.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 18:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1392)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1612)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WININET.dll
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\arservice.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\windows\ARPWRMSG.EXE
c:\program files\DISC\DiscStreamHub.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\ALCXMNTR.EXE
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
.
**************************************************************************
.
Completion time: 2010-02-20 18:54:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 02:54
ComboFix2.txt 2010-02-20 23:55
ComboFix3.txt 2010-02-20 02:29

Pre-Run: 68,941,148,160 bytes free
Post-Run: 68,901,191,680 bytes free

- - End Of File - - BA1DF347C9E74149B35CD6AF93C67892

Attached Files

  • Attached File  DDS2.txt   17.51KB   1 downloads


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:36 AM

Posted 21 February 2010 - 07:52 AM

One of the the entries we just removed is put back again. I can't say if it is Verizon doing this. Lets try it once more.
  1. Open a notepad (Start > Run and type in Notepad ).
    Copy and paste the text in code box into it.

    CODE
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}]
    @="Microsoft Url Search Hook"

    [HKEY_CLASSES_ROOT\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InProcServer32]
    @="C:\\WINDOWS\\system32\\ieframe.dll"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6"=-

    [-HKEY_CLASSES_ROOT\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22"=-

    [-HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "472734EA-242A-422B-ADF8-83D1E48CC825"=-

    [-HKEY_CLASSES_ROOT\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}]

    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm. It should look like
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.

    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  2. Please run DDS and post a fresh DDS.txt to your reply (no need for the Attach.txt).







#12 bhhmlh

bhhmlh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 21 February 2010 - 10:36 AM

Here is the DDS log. Sorry, I should have told you that I deleted the regestry software/cleaner that I had back when you had me delete some of the other programs.

Attached Files

  • Attached File  DDS.txt   17.37KB   4 downloads


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:36 AM

Posted 21 February 2010 - 01:45 PM

No worries. You have done well.

The entry is put back by Verizon Yahoo. You have too many browsers Add-ons. But we will come to that later on.

Open a notepad (go to Start > Run and type in Notepad and click OK).
Copy/paste the following text inside the code box into a new notepad document.

CODE
@ECHO OFF
regedit /e look1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"
regedit /e look2.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"
Type look*.txt >log.txt
start log.txt
del look1.txt look2.txt
del %0

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save
  • Close the Notepad.
  • Locate and double-click look.bat on the desktop. It should look like this:
  • Notepad will open with some txt in it. Copy and paste the contents in your next reply.




#14 bhhmlh

bhhmlh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 24 February 2010 - 11:19 AM

Thank you. I have tried to get rid of those ad ons but they don't always go away. They leave files behind. Anyway here is the latest log.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
@="Live Search"
"DisplayName"="@ieframe.dll,-12512"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
"FaviconURL"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"ShowSearchSuggestions"=dword:00000001
"SortIndex"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
"Version"=dword:00000002
"DownloadRetries"=dword:00000000
"DownloadUpdates"=dword:00000001
"UpgradeTime"=hex:9a,7b,8d,5c,8b,f9,c9,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURLFallback"="http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
"FaviconURLFallback"="http://www.bing.com/favicon.ico"
"FaviconPath"="C:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"URL"="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
"DisplayName"="Bing"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3504831E-7375-4473-A8A6-45723E42150A}]
"DisplayName"="Yahoo! Search"
"URL"="http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7"
"SuggestionsURLFallback"="http://ie.search.yahoo.com/os?appid=ie8&command={SearchTerms}"
"FaviconURLFallback"="http://search.yahoo.com/favicon.ico"
"FaviconPath"="C:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{3504831E-7375-4473-A8A6-45723E42150A}.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"DisplayName"="Google"
"URL"="http://findgala.com/?uid=241&q={searchTerms}&rlz=1I7GGIE_en"
"FaviconURL"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"ShowSearchSuggestions"=dword:00000001
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"
"FaviconPath"="C:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{6A1806CD-94D4-4689-BA73-E35EA1EA9990}.ico"



#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:36 AM

Posted 24 February 2010 - 02:07 PM

This should take care of Gala search.

Open a notepad (Start > Run and type in Notepad )

Copy and paste the text in code box into it.

CODE
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"

  • Save the file to the desktop as regfix.reg
  • Make sure the Save as type field says All files.
  • Close Internet Explorer.
  • Locate regfix.reg on the desktop and double-click on it and confirm. It should look like
  • A window pops up asking if you are sure to add the file to the registry. Click Yes.
  • You get another window popup saying that regfix.reg successfully added to the registry.
  • Open Internet Explorer and tell me if the issue is resolved.

Note: You have to turn off any registry protector software you have in order the changes to be taken place.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users