Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Google Redirect problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 BearMistress

BearMistress

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Florida USA
  • Local time:05:45 PM

Posted 01 April 2010 - 12:06 AM

In hindsight, this may have been going on for several weeks now. I've noticed my RAM being eaten alive and was kind of settling on Firefox being the culprit when Google started randomly sending me to sites having nothing to do with the search results. I blamed it on Google but I guess it's that grey box sitting over there. Someone suggested it might be that my browser had been hijacked and asked if my homepage had been changed; no, but I use a blank page as a homepage so it may be a moot point.

My DDS file is pasted below. No troubles there. I ran GMER and as I've read has happened to others, the computer crashed twice while trying to get the results, which I believe I have. The first, I wasn't here and came back to the dialog box saying my machine had recovered from a serious error. I have the MS page from that copied if it would be of assistance. The second time everything froze and I cut the power and left for a while.

Thank you so much for your help. You will let me know what else I can tell you, or if that GMER report is incomplete or just wrong...
Virginia
*******

DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 20:31:04.07 on Wed 03/31/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.963 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100331-2] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ARPWRMSG.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
uURLSearchHooks: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMus.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMus.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
TB: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMus.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli vpranpap.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\qmjko694.default\
FF - prefs.js: browser.startup.homepage - hxxp://bearmistress.com/home.html
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\qmjko694.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\qmjko694.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\qmjko694.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {BD8AFAEA-19A2-4F6A-A8A6-6D3D88F7C595} - c:\documents and settings\hp_administrator\local settings\application data\{BD8AFAEA-19A2-4F6A-A8A6-6D3D88F7C595}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-18 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-8 114768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-29 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-8 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-8 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-8 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-8 352920]

=============== Created Last 30 ================

2010-04-01 00:29:44 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable
2010-03-26 04:36:12 5622 ----a-w- c:\documents and settings\hp_administrator\.recently-used.xbel
2010-03-24 04:27:52 0 d-----w- c:\program files\eMusic
2010-03-20 02:27:29 0 d-----w- c:\program files\iPod
2010-03-20 02:27:13 0 d-----w- c:\program files\iTunes
2010-03-18 03:51:56 230808 ----a-r- c:\windows\system32\cpnprt2.cid
2010-03-18 03:51:51 0 d-----w- c:\windows\Cache
2010-03-18 03:51:50 0 d-----w- c:\program files\Coupons
2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2010-03-03 02:56:54 0 d-----w- c:\documents and settings\hp_administrator\.thumbnails

==================== Find3M ====================

2010-03-10 04:33:41 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-02-27 03:07:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:57 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2010-02-26 05:43:57 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-02-26 05:43:55 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-26 05:43:54 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-26 05:43:54 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-02-18 15:52:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-18 15:52:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-04 15:53:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 22:19:02 23113 ----a-w- c:\windows\hpqins15.dat
2009-06-17 04:56:26 22 -csha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 20:31:19.90 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:45 PM

Posted 04 April 2010 - 08:00 PM


Hello BearMistress smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.







Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 BearMistress

BearMistress
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Florida USA
  • Local time:05:45 PM

Posted 04 April 2010 - 10:41 PM

Thank you for checking on my problem! Here are the contents of the file:

ComboFix 10-04-03.02 - HP_Administrator 04/04/2010 23:16:17.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1184 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100404-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BD8AFAEA-19A2-4F6A-A8A6-6D3D88F7C595}
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BD8AFAEA-19A2-4F6A-A8A6-6D3D88F7C595}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BD8AFAEA-19A2-4F6A-A8A6-6D3D88F7C595}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BD8AFAEA-19A2-4F6A-A8A6-6D3D88F7C595}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{BD8AFAEA-19A2-4F6A-A8A6-6D3D88F7C595}\install.rdf
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\My Documents\VAA - Admin\feedback\wwuf\bear.eml
c:\windows\AppPatch\AcAdProc.dll
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-03-24 04:27 . 2010-03-24 04:27 -------- d-----w- c:\program files\eMusic
2010-03-20 02:27 . 2010-03-20 02:27 -------- d-----w- c:\program files\iPod
2010-03-20 02:27 . 2010-03-20 02:28 -------- d-----w- c:\program files\iTunes
2010-03-18 03:51 . 2010-03-18 03:51 -------- d-----w- c:\windows\Cache
2010-03-18 03:51 . 2010-03-18 03:51 -------- d-----w- c:\program files\Coupons
2010-03-10 04:33 . 2010-03-10 04:33 1025024 ------w- c:\windows\system32\dllcache\browseui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 03:13 . 2009-04-09 16:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\stickies
2010-04-05 00:51 . 2009-04-15 01:58 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FileZilla
2010-04-04 13:50 . 2009-07-14 18:36 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-01 01:10 . 2010-04-01 01:11 1960960 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-03-31 17:04 . 2009-07-31 12:18 29034612 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-30 22:27 . 2009-04-14 00:28 1 ----a-w- c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-29 18:35 . 2009-04-15 01:57 -------- d-----w- c:\program files\FileZilla FTP Client
2010-03-27 04:52 . 2010-02-18 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-27 04:50 . 2009-04-11 12:48 -------- d-----w- c:\program files\Trillian
2010-03-26 04:36 . 2010-03-03 02:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\gtk-2.0
2010-03-23 20:03 . 2010-03-23 21:26 1928704 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-03-20 02:27 . 2009-04-21 22:52 -------- d-----w- c:\program files\Common Files\Apple
2010-03-20 02:15 . 2010-03-20 02:15 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-17 11:38 . 2010-03-17 13:23 1913856 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.whisperingpines-epha.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.visual-arts-academy.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.visual-arts-academy-3.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.visual-arts-academy-2.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.visual-arts-academy-1.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.vaa-sites.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.vaa-sites-1.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.pirc-bw.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.photoimpact-international.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.original-artwork-prints.com
2010-03-14 16:07 . 2010-03-14 16:07 0 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird\Profiles\06cr57aa.default\Mail.sbd\mail.bearmistress.com
2010-03-14 16:05 . 2009-04-09 17:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Thunderbird
2010-03-04 06:40 . 2010-03-04 13:25 1902592 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-02-28 16:24 . 2010-01-25 19:33 -------- d-----w- c:\program files\Freecorder
2010-02-28 16:23 . 2009-04-16 15:46 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPAppData
2010-02-28 16:22 . 2010-02-28 16:22 -------- d-----w- c:\program files\Gimp-2.0
2010-02-27 14:00 . 2010-02-27 14:00 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30f2873e-n\msvcp71.dll
2010-02-27 14:00 . 2010-02-27 14:00 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30f2873e-n\jmc.dll
2010-02-27 14:00 . 2010-02-27 14:00 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-30f2873e-n\msvcr71.dll
2010-02-27 14:00 . 2010-02-27 14:00 61440 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6708b7db-n\decora-sse.dll
2010-02-27 14:00 . 2010-02-27 14:00 12800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6708b7db-n\decora-d3d.dll
2010-02-27 04:13 . 2006-09-22 18:30 68840 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-27 03:17 . 2010-02-27 03:17 -------- d-----w- c:\program files\JRE
2010-02-27 03:17 . 2009-04-08 18:53 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-27 03:08 . 2006-09-22 17:57 -------- d-----w- c:\program files\Common Files\Java
2010-02-27 03:07 . 2009-04-11 22:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-26 05:43 . 2004-08-10 04:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-22 15:30 . 2009-04-08 16:37 -------- d-----w- c:\program files\TreePadLite
2010-02-18 18:23 . 2010-01-25 12:30 120 ----a-w- c:\windows\Oteruma.dat
2010-02-18 16:47 . 2010-02-18 16:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-02-18 16:47 . 2010-02-18 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-18 15:52 . 2010-02-18 15:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-18 15:52 . 2010-02-18 15:52 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-02-18 15:52 . 2010-02-18 15:52 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-02-18 15:52 . 2010-02-18 15:52 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-02-18 15:52 . 2009-06-18 15:20 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-18 15:52 . 2009-06-18 14:02 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-18 15:52 . 2010-02-18 15:52 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-02-18 15:52 . 2010-02-18 15:52 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-02-18 15:52 . 2009-06-18 14:02 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-18 15:51 . 2010-02-18 15:51 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-18 15:48 . 2009-06-18 13:54 -------- d-----w- c:\program files\Lavasoft
2010-02-18 15:48 . 2010-02-18 15:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-18 07:08 . 2010-01-25 12:30 0 ----a-w- c:\windows\Aheweyeguwivi.bin
2010-02-12 20:10 . 2010-02-12 21:34 1832960 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-02-05 06:47 . 2010-02-05 06:47 592 ----a-w- c:\windows\uninstallstickies.bat
2010-02-05 06:47 . 2009-04-11 12:58 -------- d-----w- c:\program files\Stickies
2010-02-04 15:53 . 2010-02-18 15:48 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2009-06-18 14:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-04 01:25 . 2010-02-04 01:25 3774 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{DD6FA976-3F0A-4C6C-A30F-6E75DFC39DE9}\_294823.exe
2010-02-04 01:25 . 2010-02-04 01:25 3774 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{DD6FA976-3F0A-4C6C-A30F-6E75DFC39DE9}\_18be6784.exe
2010-01-29 02:14 . 2009-08-28 20:58 2356 -c--a-w- c:\documents and settings\HP_Administrator\nsmail.tmp
2010-01-27 22:19 . 2010-01-27 22:16 23113 ----a-w- c:\windows\hpqins15.dat
2010-01-21 22:10 . 2010-01-30 22:16 52224 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qmjko694.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
2010-01-21 22:10 . 2010-01-30 22:16 101376 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qmjko694.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
2010-01-07 20:07 . 2010-02-18 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 20:07 . 2010-02-18 16:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 04:56 . 2009-06-17 04:56 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2010-02-28 2349080]
"{9ee802e8-c931-47ab-b570-aa8f791598ca}"= "c:\program files\eMusic\tbeMus.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{9ee802e8-c931-47ab-b570-aa8f791598ca}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2010-02-28 16:24 2349080 ----a-w- c:\program files\Freecorder\tbFre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ee802e8-c931-47ab-b570-aa8f791598ca}]
2009-12-31 15:53 2349080 ----a-w- c:\program files\eMusic\tbeMus.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2010-02-28 2349080]
"{9ee802e8-c931-47ab-b570-aa8f791598ca}"= "c:\program files\eMusic\tbeMus.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{9ee802e8-c931-47ab-b570-aa8f791598ca}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2010-02-28 2349080]
"{9EE802E8-C931-47AB-B570-AA8F791598CA}"= "c:\program files\eMusic\tbeMus.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{9ee802e8-c931-47ab-b570-aa8f791598ca}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 20:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2009-04-08 1591808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-8-28 1101824]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-22 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Stickies.lnk]
backup=c:\windows\pss\Stickies.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-04-01 14:52 818256 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 12:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ask and Record FLV Service]
2009-03-10 01:29 156672 -c--a-w- c:\program files\Ask & Record Toolbar\FLVSrvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 16:05 90112 -c--a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2009-11-15 20:59 158752 ----a-w- c:\program files\Freecorder\FLVSrvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2009-03-10 20:07 323216 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-21 15:34 148888 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2007-08-03 01:08 95504 -c--a-w- c:\program files\Common Files\Ulead Systems\AutoDetector\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/18/2009 10:02 AM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/8/2009 11:53 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/8/2009 11:53 AM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qmjko694.default\
FF - prefs.js: browser.startup.homepage - hxxp://bearmistress.com/home.html
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qmjko694.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qmjko694.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\qmjko694.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Opera\program\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 23:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(824)
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\ARPWRMSG.EXE
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\hp\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
c:\program files\DISC\DISCover.exe
c:\program files\DISC\DiscUpdMgr.exe
c:\program files\DISC\DiscStreamHub.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-04 23:36:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 03:36

Pre-Run: 115,520,884,736 bytes free
Post-Run: 116,342,231,040 bytes free

- - End Of File - - A5332554712D21561501D3F3D409C126


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:45 PM

Posted 04 April 2010 - 11:28 PM

You're welcome Virginia. smile.gif

Are you still experiencing the redirection issue after we ran ComboFix?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 BearMistress

BearMistress
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Florida USA
  • Local time:05:45 PM

Posted 05 April 2010 - 03:12 AM

You know, I think it's fixed! I've been trying it out every which way and so far, no redirects plus FF is not using up gobs of RAM.

I see ComboFix left a shortcut to IE on my desktop and messed with Firefox enough that it doesn't know it used to be the default browser. I'm not going to use IE but do you think it's okay to continue with FF or would it be prudent to go with Opera as default? Since I don't know what caused this I don't know how to avoid it in the future.

Thanks pirate2.gif

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:45 PM

Posted 05 April 2010 - 08:55 AM

You should be able to set FF back to your default. I use it and overall have been pleased with the way it performs.

We still need to do a little more before we finish and at the end we will remove ComboFix but don't just delete it. We have a uninstall command which does other things as well as remove it from the desktop.




It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 BearMistress

BearMistress
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Florida USA
  • Local time:05:45 PM

Posted 05 April 2010 - 10:02 AM

Help. "Viruses, worms, Trojans, rootkits" checkbox is greyed out sad.gif The others are all available. This is after the downloading has (apparently) stopped.

Edit: just for fun I opened IE and tried it there; it found 497Kb more to download but still the box is greyed out.

Virginia

Edited by BearMistress, 05 April 2010 - 10:08 AM.


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:45 PM

Posted 05 April 2010 - 10:10 AM

OK, try this one instead:


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 BearMistress

BearMistress
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Florida USA
  • Local time:05:45 PM

Posted 05 April 2010 - 03:15 PM

Wow, it took over 4 hours... and here's what it says:

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\48\26e14b0-622ca9d3 multiple threats deleted - quarantined
C:\Documents and Settings\HP_Administrator\My Documents\Website - VAA itself\forums\backup\themes\shades\a.php probably a variant of PHP/Rst.R trojan cleaned by deleting - quarantined
D:\I386\APPS\APP00835\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined
D:\I386\APPS\APP00835\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP327\A0077255.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP327\A0077256.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined


#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:45 PM

Posted 05 April 2010 - 05:03 PM

Kaspersky can take even longer at times. They scan so many things it time consuming.


Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".





You have some leftover versions of Java showing up in your Add/Remove programs section. You should go there and remove the following from your machine. These can be areas of exploitation by Malware.



J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 13
Java™ 6 Update 7






When you have completed this let me know how the computer is running.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 BearMistress

BearMistress
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Florida USA
  • Local time:05:45 PM

Posted 06 April 2010 - 12:04 AM

No Google redirects in Firefox and I've tried over and over and what a relief! FF doesn't seem to be using as much RAM as it was.

I removed those Javas and left the one (Java 6 update 18). Now I can't access Wait Wait Don't Tell Me online:
http://www.npr.org/templates/story/story.p...oryId=125526297
It does work in Opera and IE.

And, I'm writing this in IE as the page won't load correctly in FF. It looks like the CSS isn't loading. It is fine in Opera, too.

Thanks....



#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:45 PM

Posted 06 April 2010 - 10:56 AM

I don't know why FF would be affected by what we did but it might be it was corrupted somehow and you will need to reinstall it again. You might want to try that before we finish. I would reboot the computer first just to see if that will make a difference. Sometimes a reboot is all it takes.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 BearMistress

BearMistress
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Florida USA
  • Local time:05:45 PM

Posted 06 April 2010 - 01:55 PM

It works! Here's what happened:

I rebooted, no change. I noticed when going from page to page in this forum that while the page was loading, on the status bar "waiting for www.google-analytics.com" would show up sometime during the loading. I'm sorry that I didn't watch at other websites (that's poor research).

I completely uninstalled FF (passwords, history and all but I have bookmarks waiting to be reloaded). I rebooted and then downloaded and reinstalled FF. This forum's pages are now working, I can get to the fun stuff at NPR, and no "google-analytics" is flashing by on the status bar.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:45 PM

Posted 06 April 2010 - 02:16 PM

No problem, the biggest thing is to get it resolved. Is everything OK now that you are aware of?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 BearMistress

BearMistress
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:Florida USA
  • Local time:05:45 PM

Posted 06 April 2010 - 02:47 PM

I think it's all good! You have been so helpful and patient and I do appreciate it. I was at my wit's end sad.gif

Should I keep any of the above programs to run now & then or are they mostly for emergency situations?

I can't thank you enough. I'll be visiting your paypal link.

flowers.gif thumbup.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users