[Solved] Another Google redirect

dearpheona · May 20, 2010

Since yesterday this has been happening. When I do a search and click on links, half the time I will get redirected to different junk sites.

Tried running Hitman and it found "partmgr.sys" but wasn't able to delete/fix it.

I've followed the steps posted and attached the logs from the programs.

Thanks in advance for any advice or help.

Bobbye · May 20, 2010

Welcome to TechSpot, dearpheona. I will help with the malware.

While I finish checking your logs, please do the following:
First, uninstall Hitman. This is nothing but a bundle of programs that are free on the internet. Most are being used without the permission of their authors. This program can cause a problem with the scans.
=========================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind
 iastor.*
[/code]
Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===================================
Please download ComboFix from Here and save to your Desktop.

[1]. Do NOT rename Combofix unless instructed.
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3].Close any open browsers.
[4]. Double click combofix.exe & follow the prompts to run.

NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
[5]. If Combofix asks you to install Recovery Console, please allow it.
[6]. If Combofix asks you to update the program, always allow.

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
==========================================
Run Eset NOD32 Online AntiVirus Scanner HERE

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the Active X control to install

Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Click Scan

Wait for the scan to finish

Re-enable your Antivirus software.

A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I will be setting up some script for you to run based on the logs you left here. Please include the SystemLook log, the Combofix report and Eset scan logs in your next report.

Please do not use any other cleaning program or run scans while I am helping you, unless I instruct you to. do not use a Registry cleaner or make any changes in the Registry.

I notice you are using both LimeWire and Vuze. These are both file sharing programs and I recommend that you uninstall both. If you choose not to uninstall them, please do not use either while I am helping clean your system.

dearpheona · May 20, 2010

Thanks Bobbye! Still running the scans. I'll paste them in a reply once they're finished up.

I also noticed this morning that whatever it is that's in my system has decided to kill my ability to install Microsoft updates.

Again, thanks so much for help with this.

dearpheona · May 20, 2010

I uninstalled Hitman and the scans have finished. Here are the logs:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:23 on 20/05/2010 by Mae (Administrator - Elevation successful)

========== filefind ==========

Searching for " iastor.*"
No files found.

-=End Of File=-

ComboFix 10-05-20.02 - Mae 05/20/2010 12:38:27.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1713 [GMT -7:00]
Running from: c:\users\Mae\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%

Infected copy of c:\windows\system32\drivers\partmgr.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2010-05-20 19:52 . 2010-05-20 19:56 -------- d-----w- c:\users\Mae\AppData\Local\temp
2010-05-20 19:52 . 2010-05-20 19:52 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-05-20 19:52 . 2010-05-20 19:52 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-20 03:44 . 2010-05-20 03:44 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-20 01:41 . 2010-05-20 04:25 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-20 01:40 . 2010-05-20 01:40 -------- d-----w- c:\programdata\Hitman Pro
2010-05-20 01:40 . 2010-05-20 01:40 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-15 02:52 . 2010-05-15 02:52 -------- d-----w- c:\users\Mae\AppData\Roaming\HPAppData
2010-05-15 02:37 . 2010-05-15 02:37 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-14 18:02 . 2010-05-14 18:07 23110 ----a-w- c:\windows\hpqins15.dat
2010-05-14 17:58 . 2010-05-14 18:13 -------- d-----w- c:\users\Mae\AppData\Roaming\HpUpdate
2010-05-14 17:58 . 2010-05-14 17:58 -------- d-----w- c:\windows\Hewlett-Packard
2010-05-11 23:07 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-07 17:24 . 2010-05-07 17:24 -------- d-----w- c:\programdata\WEBREG
2010-05-07 17:24 . 2010-05-07 17:24 -------- d-----w- c:\users\Mae\AppData\Roaming\HP
2010-05-07 17:24 . 2010-05-07 17:24 -------- d-----w- c:\users\Mae\AppData\Local\HP
2010-05-07 17:20 . 2009-06-09 08:43 316928 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp092.dll
2010-05-07 17:15 . 2010-05-07 17:15 -------- d-----w- c:\programdata\HP Product Assistant
2010-05-07 17:13 . 2010-05-07 17:13 -------- d-----w- c:\program files\Common Files\HP
2010-05-07 17:13 . 2010-05-07 17:13 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-05-07 17:12 . 2010-05-07 17:12 -------- d-----w- c:\windows\hpoj4500g510n-z
2010-05-07 17:11 . 2009-05-26 17:32 716288 ----a-w- c:\windows\system32\hpwwiax9.dll
2010-05-07 17:11 . 2009-05-26 17:32 593920 ----a-w- c:\windows\system32\hpwtscl5.dll
2010-05-07 17:11 . 2009-05-18 21:49 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2010-05-07 17:11 . 2009-05-26 17:32 315392 ----a-w- c:\windows\system32\hpwvst01.dll
2010-05-07 17:11 . 2009-05-21 13:14 452408 ----a-w- c:\windows\system32\hpzids01.dll
2010-05-07 17:11 . 2009-06-09 08:43 122880 ----a-w- c:\windows\system32\hpf3l092.dll
2010-05-07 17:10 . 2010-05-14 18:13 -------- d-----w- c:\program files\HP
2010-05-07 17:07 . 2010-05-07 17:24 207226 ----a-w- c:\windows\hpwins28.dat
2010-05-07 17:07 . 2010-05-07 17:24 -------- d-----w- c:\programdata\HP
2010-05-05 23:17 . 2010-05-05 23:17 -------- d-----w- c:\program files\Microsoft.NET
2010-05-05 23:15 . 2010-05-05 23:15 -------- d-----r- C:\MSOCache
2010-05-05 23:09 . 2010-05-05 23:09 -------- d-----w- c:\users\Mae\AppData\Local\Seven Zip
2010-05-05 22:32 . 2010-05-05 22:47 -------- d-----w- c:\users\Mae\AppData\Roaming\GetRightToGo
2010-04-29 20:04 . 2007-08-20 21:08 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-04-25 01:09 . 2010-04-25 13:23 -------- d-----w- C:\Temp
2010-04-25 00:55 . 2010-04-25 00:55 -------- d-----w- c:\programdata\NexonUS
2010-04-25 00:36 . 2010-05-20 19:56 -------- d-----w- c:\users\Mae\AppData\Local\PMB Files
2010-04-25 00:36 . 2010-04-25 00:36 -------- d-----w- c:\programdata\PMB Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 19:54 . 2009-07-13 19:19 -------- d-----w- c:\users\Mae\AppData\Roaming\WTablet
2010-05-20 19:52 . 2010-02-01 05:37 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-20 19:09 . 2008-09-17 02:30 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-05-20 04:10 . 2010-04-11 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 05:56 . 2008-09-18 05:31 -------- d-----w- c:\users\Mae\AppData\Roaming\LimeWire
2010-05-12 10:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 10:01 . 2008-09-16 23:38 -------- d-----w- c:\programdata\Microsoft Help
2010-05-08 04:01 . 2008-09-17 00:48 91592 ----a-w- c:\users\Mae\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-07 10:03 . 2008-09-16 23:39 -------- d-----w- c:\program files\Microsoft Works
2010-05-05 23:22 . 2008-09-29 01:30 592 ----a-w- c:\users\Mae\AppData\Roaming\wklnhst.dat
2010-05-04 15:35 . 2008-10-10 01:18 -------- d-----w- c:\users\Mae\AppData\Roaming\Azureus
2010-05-04 06:53 . 2008-09-17 01:22 -------- d-----w- c:\program files\Vuze
2010-05-04 06:43 . 2008-09-17 03:53 -------- d-----w- c:\program files\Semagic
2010-04-29 22:39 . 2010-04-11 17:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-04-11 17:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 19:23 . 2009-10-15 00:54 -------- d-----w- c:\program files\AIM
2010-04-15 04:45 . 2008-09-17 01:21 -------- d-----w- c:\program files\LimeWire
2010-04-15 01:50 . 2008-09-16 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-04-15 01:50 . 2008-09-16 23:40 -------- d-----w- c:\program files\Java
2010-04-15 01:33 . 2010-04-15 01:32 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-15 01:33 . 2009-06-05 01:23 -------- d-----w- c:\program files\iTunes
2010-04-15 01:32 . 2010-04-15 01:32 -------- d-----w- c:\program files\iPod
2010-04-15 01:32 . 2008-09-17 01:25 -------- d-----w- c:\program files\Common Files\Apple
2010-04-15 01:30 . 2010-04-15 01:29 -------- d-----w- c:\program files\QuickTime
2010-04-15 01:25 . 2008-09-17 03:35 -------- d-----w- c:\program files\Bonjour
2010-04-13 00:29 . 2010-04-15 01:50 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-11 17:52 . 2010-04-11 17:52 -------- d-----w- c:\users\Mae\AppData\Roaming\Malwarebytes
2010-04-11 17:51 . 2010-04-11 17:51 -------- d-----w- c:\programdata\Malwarebytes
2010-04-11 05:43 . 2008-09-16 23:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-05 14:01 . 2010-04-15 01:55 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 11:10 . 2010-04-15 01:55 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-15 01:55 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-15 01:55 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-30 23:22 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 23:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-03-30 23:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-03-30 23:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 11:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 11:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 11:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-25 2938552]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-06 65256]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-04 40072]

c:\users\Mae\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-10-7 576000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ab,85,be,06,86,e0,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4229386456-4079888766-2179590344-1000]
"EnableNotificationsRef"=dword:00000004

R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-10-24 717296]
S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-06 26120]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-6822
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_US&Sys=PTB&M=P-6822
uInternet Settings,ProxyOverride = *.local
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: Semagic - c:\program files\Semagic\link.htm
Trusted Zone: adobe.com\get
FF - ProfilePath - c:\users\Mae\AppData\Roaming\Mozilla\Firefox\Profiles\ee5mtgr4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/shegotthatlala?ref=profile|http://twitter.com/|http://www.tumblr.com/dashboard
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\Mae\AppData\Roaming\Mozilla\Firefox\Profiles\ee5mtgr4.default\extensions\runtime@panda3d.org\platform\WINNT_x86-msvc\plugins\nppanda3d.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Final Fantasy VII - c:\program files\Final Fantasy VII\Uninst.isu
AddRemove-FINAL FANTASY VIII - c:\program files\Square Soft
AddRemove-_{0C180787-F8C8-42FD-A9D3-689BA44BEAAF} - c:\program files\Corel\Corel Painter Essentials 3\MSILauncher {0C180787-F8C8-42FD-A9D3-689BA44BEAAF}
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\Mae\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 12:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP000000076A3690E30234D143 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4229386456-4079888766-2179590344-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:64,c0,46,f4,0b,ab,8e,d9,ad,68,95,c9,a8,12,68,68,1b,e7,b1,ec,83,4b,01,
bd,bd,75,7d,9d,b5,72,e4,1e,8e,96,ae,ed,50,9f,e7,e3,9c,07,a1,b2,c3,9d,f6,3b,\
"??"=hex:07,de,44,c3,e1,a5,2d,8c,3a,c1,a5,01,82,31,bd,c1

[HKEY_USERS\S-1-5-21-4229386456-4079888766-2179590344-1000\Software\SecuROM\License information*]
"datasecu"=hex:bd,4c,ac,6f,58,f0,54,34,b6,1e,09,4a,f8,9c,99,6d,c4,96,7a,30,e8,
13,9b,74,cd,7d,a8,4e,50,b5,d4,09,96,4e,01,c5,44,8f,60,13,0c,07,01,ab,0c,db,\
"rkeysecu"=hex:d1,f8,32,63,63,17,94,47,de,74,4d,e3,ec,e5,72,50

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\windows\sttray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-20 13:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-20 20:09

Pre-Run: 15,862,607,872 bytes free
Post-Run: 15,800,729,600 bytes free

- - End Of File - - F788F31F2C3DADA7EBE2B53171FA3D4E

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=663be20fb3b29849b3f4d64b7f08523e
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-21 02:32:24
# local_time=2010-05-20 07:32:24 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 95 30681447 110994491 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=473573
# found=0
# cleaned=0
# scan_time=22180

Bobbye · May 21, 2010

P2P or 'file sharing Warning:
You have LimeWire, Azureus and Vuze on the system, all from 2008. Note: Even if you are using a "safe" P2P program, it is only the program that is safe. We recommend uninstalling P2P or file sharing programs for these reasons:

As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.

Malware writers use these program to include malicious content.

Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.

The 'sharing' also includes malware that the shared system has on it.

Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

I can include their removal in the script I'm writing for you if you'd like. If you do not want to uninstall the programs, please do not use them while I am helping clean the system.

Let me know.

dearpheona · May 21, 2010

I hate to say it but I would like to keep Limewire and Vuze,

Bobbye · May 21, 2010

Okay- but don't use now.

Custom CFScript

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:
Code:
KillAll::
File::
c:\windows\system32\drivers\hitmanpro35.sys
c:\program files\Viewpoint\Common\ViewpointService.exe

Folder::
c:\programdata\Hitman Pro
c:\program files\Hitman Pro 3.5

Extra::
File::
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

Firefox::
Firefox-: Profile- c:\users\mae\appdata\roaming\mozilla\firefox\profiles\ee5mtgr4.default\

DDS:
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

RegNull::
[HKEY_USERS\S-1-5-21-4229386456-4079888766-2179590344-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_USERS\S-1-5-21-4229386456-4079888766-2179590344-1000\Software\SecuROM\License information*]

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Driver::
Viewpoint Manager Service
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

dearpheona · May 21, 2010

Here is the log

Bobbye · May 22, 2010

I'd like you to run System Look again with slightly different file name:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind
 iastor.sys
[/code]
Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Let me have the log please.By the way, did you know that once you have this group work on your system, they install their calling call? Geek Squad 24 Hour Computer Support

How is the system running now?

dearpheona · May 22, 2010

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:25 on 22/05/2010 by Mae (Administrator - Elevation successful)

========== filefind ==========

Searching for " iastor.sys"
No files found.

-=End Of File=-

It's running fantastic! No more redirects! Thank you so much for your help!!!

And The Geek Squad stuff has been on there since I purchased this computer, I think. I got it from Best Buy so it's probably part of the software they include on all their products.

Bobbye · May 22, 2010

So problems have been resolved? That's a good thing! As for the Geek Squad entry, I'd remove it- but it's not an issue.

Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if you need any more help.

dearpheona · May 24, 2010

The problem is gone and my computer is back to running great. Thank you so much for your help... you've been absolutely amazing! I'm so grateful for this!!

Bobbye · May 25, 2010

You're very welcome. Here are tips to help you stay clean:

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.

Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.

IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know.

TechSpot

[Solved] Another Google redirect

dearpheona Newcomer, in training

Attached Files:

mbam-log-2010-05-19 (21-21-49).txt

DDS.txt

Attach.txt

gmer.log

Bobbye Helper on the Fringe

dearpheona Newcomer, in training

dearpheona Newcomer, in training

Bobbye Helper on the Fringe

dearpheona Newcomer, in training

Bobbye Helper on the Fringe

dearpheona Newcomer, in training

Attached Files:

combofixlog.txt

Bobbye Helper on the Fringe

dearpheona Newcomer, in training

Bobbye Helper on the Fringe

dearpheona Newcomer, in training

Bobbye Helper on the Fringe