[Closed] Browser redirection trouble

Status
Not open for further replies.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6403

Windows 6.0.6000
Internet Explorer 8.0.6001.18882

4/23/2011 4:21:40 AM
mbam-log-2011-04-23 (04-21-40).txt

Scan type: Quick scan
Objects scanned: 192063
Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-23 04:29:46
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.V54O
Running: lh8bb9kt.exe; Driver: C:\Users\Admin\AppData\Local\Temp\kwlyqpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Threads - GMER 1.0.15 ----

Thread System [4:412] 8A197140
Thread System [4:420] 8A197140
Thread System [4:424] 8A1CF520
Thread System [4:428] 8A1CF520
Thread System [4:436] 8A1D1580
Thread System [4:440] 8A1D1580
Thread System [4:444] 8A1D1580
Thread System [4:452] 8A1CF520

---- EOF - GMER 1.0.15 ----

attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 7/4/2007 12:45:35 AM
System Uptime: 4/23/2011 4:23:20 AM (0 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Leonite2
Processor: Intel(R) Core(TM)2 CPU 4400 @ 2.00GHz | Socket 775 | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 289 GiB total, 159.393 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.005 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 298 GiB total, 283.672 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Hosts File Hijack ======================
.
Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com
Hosts: 127.0.0.1 www.grisoft.com
Hosts: 127.0.0.1 www.kaspersky.com
Hosts: 127.0.0.1 www.mcafee.com
Hosts: 127.0.0.1 www.microsoft.com
Hosts: 127.0.0.1 www.pandasecurity.com
Hosts: 127.0.0.1 www.sophos.com
Hosts: 127.0.0.1 www.symantec.com
Hosts: 127.0.0.1 www.trendmicro.com
Hosts: 127.0.0.1 www.viruslist.com
Hosts: 127.0.0.1 www.virustotal.com
.
==== Installed Programs ======================
.
µTorrent
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player 11.5
AnalogX AutoTune
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Audacity 1.2.6
Awave Studio v10.1
Band-in-a-Box 2008.5 (Build 263)
Becker CPA Review CD-ROM Course and PassMaster - 2008 Edition
Bisk CPA Review Software 13.10
Bonjour
CloneCD
Compatibility Pack for the 2007 Office system
Creative MediaSource 5
Digital Voice Editor 3
DiskCheckup V2.1
DivX Content Uploader
DivX Web Player
DzSoft Favorites Search 2.1
EarMaster Pro 5
Enhanced Multimedia Keyboard Solution
ESET Online Scanner v3
FreeMind
FretPro V.2.00
Garmin City Navigator North America NT 2010.20
Garmin WebUpdater
Google Desktop
Google Toolbar for Internet Explorer
Guitar Freak Workstation with SightReader
H-Series_ASIO32
Hardware Diagnostic Tools
HD Tune Pro 4.01
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Picasso Media Center Add-In
HP Product Detection
HP Total Care Advisor
HP Update
ieSpell
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel® Viiv™ Software
iSkysoft DVD to iPod Converter(Build 1.5.23)
iTunes
J2SE Runtime Environment 5.0 Update 12
Java Auto Updater
Kaspersky Anti-Virus 7.0
LAME v3.98.2 for Audacity
LG USB Modem driver
LightScribe 1.4.142.1
LiveUpdate 3.2 (Symantec Corporation)
Macrium Reflect - Free Edition
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Mega Manager
Megaupload Toolbar
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft IntelliPoint 6.1
Microsoft Office Basic Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
Musicnotes Software Suite 1.5.5
muvee autoProducer 6.0
My HP Games
NETGEAR Live Parental Controls Management Utility 2.0b44
NETGEAR Live Parental Controls User Utility 1.0b38
NirSoft BlueScreenView
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PG Music DirectX Plugins 1.3.4.1
Picasa 2
Power Tab Editor 1.7
PSSWCORE
Python 2.4.3
QMC
QuickBooks Pro 2007
QuickBooks Product Listing Service
Quicken 2008
QuickTime
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
River Past Audio Converter
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Safari
SampleTestInstall
Shockwave
Sibelius Scorch (ActiveX Only)
Skype Toolbars
Skype™ 5.0
Snapfish Media Detector
Snitch
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
Stock Investor Professional
Streamripper (Remove only)
SupportSoft Assisted Service
TaxCut New Jersey 2007
TaxCut New York 2007
TaxCut Premium + State 2007
TeamViewer 3
Transcribe! 8.10
Ulead VideoStudio SE DVD
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Video Piggy
Viewpoint Media Player
Virtual Sound Canvas DXi
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Winamp
Winamp Remote
Windows Installer Clean Up
Windows Movie Maker 2.6
WinPcap 4.1.1
WinRAR archiver
WinZip 11.2
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
ZENcast Organizer
ZillaTube 3.1
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)
.
==== End Of File ===========================

dds.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Admin at 4:33:58.96 on Sat 04/23/2011
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.5.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.917 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\vVX6000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Admin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: CocoonSoftware Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: CocoonSoftware Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SnapfishMediaDetector] c:\program files\snapfish media detector\SnapfishMediaDetector.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [CCUTRAYICON] FactoryMode
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {FF925300-80E6-11D4-A15B-FFF9086C1A3C} - {4DC701A0-93AD-11D4-A15B-AF07886E4A07} - c:\progra~1\dzsoft\favori~1\FavSeek.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303530075634
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-5 64288]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-3-17 15328]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2007-4-4 20760]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-3-17 220128]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2007-9-28 600912]
R2 TeamViewer;TeamViewer 3;c:\program files\teamviewer3\TeamViewer_Host.exe [2008-3-12 181544]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]
S2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2007-6-28 218376]
S2 gupdate;gupdate; [x]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-1 30192]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-5-11 39048]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2007-4-10 2385896]
S3 ZMHHPAudioSrv;ZOOM H Series High Performance Audio Driver Service;c:\windows\system32\drivers\zmhhpau.sys [2010-4-16 32000]
.
=============== Created Last 30 ================
.
2011-04-23 03:21:42 -------- d-----w- C:\_OTM
2011-04-22 23:42:43 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{f9c6cc1f-2a06-4892-a269-ee12ad9e30aa}\mpengine.dll
2011-04-22 10:26:03 -------- d--h--w- C:\$AVG
2011-04-22 03:04:45 -------- d-----w- c:\progra~2\AVG Security Toolbar
2011-04-22 02:55:27 -------- d-----w- c:\progra~2\AVG10
2011-04-22 02:50:11 -------- d-----w- c:\program files\AVG
2011-04-22 02:37:05 -------- d-----w- c:\progra~2\MFAData
2011-04-21 19:40:16 -------- d-s---w- C:\ComboFix
2011-04-20 20:29:18 -------- d-----w- C:\_OTL
2011-04-20 17:54:28 -------- d-----w- c:\users\admin\appdata\local\Musicnotes
2011-04-20 00:05:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 00:05:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-13 18:26:48 -------- d-----w- c:\program files\Streamripper
2011-04-11 01:12:49 -------- d-----w- c:\progra~2\Musicnotes
2011-04-11 00:54:03 -------- d-----w- c:\users\admin\appdata\local\OpenCandy
2011-04-11 00:53:59 -------- d-----w- c:\users\admin\appdata\roaming\OpenCandy
2011-04-11 00:53:59 -------- d-----w- c:\program files\Musicnotes
2011-04-02 20:18:43 -------- d-----w- c:\program files\common files\Sonic Shared
2011-04-02 02:16:25 -------- d-----w- c:\progra~2\McAfee Security Scan
2011-04-02 02:16:22 -------- d-----w- c:\program files\McAfee Security Scan
.
==================== Find3M ====================
.
2011-02-14 03:53:25 320000 ----a-w- c:\windows\system32\CF6700.exe
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 4:35:37.98 ===============
 
Good Morning and welcome to TechSpot! Looks like the host files have been hijacked. Just a note for you before I continue> even though you may thing the subject of "Browser redirection trouble" says it all, that is not the case. I have found that sometimes members think they are being redirected when getting a message "can't find the server" or "server disconnected." So it helps us to help you if you give us some description.

While I finish checking these logs, please do the following: Note: It's important that you follow the order I have set up:

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

  • [1]. Shut down your computer, and any other computer connected to your router.
    [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
    [3]. Unplug the router. Wait sixty seconds.
    [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
    [5].With the router unplugged, start your computer. Run MBAM again.
    [6].Connect to the router again. The turn the router back on.
    [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
    [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
==================================
Edit: You are running 2 antivirus programs> McAfee Security Scan Plus and Kaspersky Anti-Virus 7.0. Please uninstall one of them.
McAfee Removal
Kaspersky archive kavremover.zip.
  • Unpack the archive (for example, using WinZip)
  • Double click on kavremover.exe
  • Enter the code from the picture. If you cannot read the code from the picture, click on the button next to the picture to generate a new code
    [o] The screen will display the products detected.
    [o] You can also select Remove all known products.
  • Click on the button Remove
    kavremover_1464_01new_en.jpg
  • Wait until a dialog window appears to inform you that the product was successfully removed
    kavremover_1464_04_en.jpg
  • Click OK
Images courtesy Kaspersky
Reboot the computer.
=========================
After completing the above, please Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
================================
If you are using any file sharing programs, please uninstall or disable them while I am helping you.
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
==================================
Please paste the new Malwarebytes log and Combofix log in your next reply
 
It appears that some cleaning attempts have already been made on your system, due to the presence of these:
2011-04-23 03:21:42 -------- d-----w- C:\_OTM
2011-04-22 02:37:05 -------- d-----w- c:\progra~2\MFAData
2011-04-21 19:40:16 -------- d-s---w- C:\ComboFix
2011-04-20 20:29:18 -------- d-----w- C:\_OTL

I also note the presence of several AVG entries:
2011-04-22 10:26:03 -------- d--h--w- C:\$AVG
2011-04-22 03:04:45 -------- d-----w- c:\progra~2\AVG Security Toolbar
2011-04-22 02:55:27 -------- d-----w- c:\progra~2\AVG10
2011-04-22 02:50:11 -------- d-----w- c:\program files\AVG

Tell me please if you are being helped in another computer forum for this time for this problem.
 
I was working with dslreports, but they gave up and told me to reformat. On some other issues:

1) the browser seems to search OK, but when I click on one of the found sites, it takes me to a totally different site.

2) The admin user is working much better than my user (richb2) account.

3) I ran combofix and it said that my explorer was infected but then said that it fixed it. But after that, when I rebooted, explorer fails. I had to use Microsoft recovery to get my PC working again.

4) In the richb2 user, I always get a popup that orbtray.exe needs me to allow it to run. I never allow it.

5) I have invested about 20 hours in getting rid of Vista Home Firewall virus. Finally I used the code and it went away. The reidrection error seems to be the last problem. I have a lot of programs on this PC. Is there anyway to reinstall Vista (or XP) without wiping the applications?

Here is the last MBAM that I ran after flushing the DNS and rebooting the router as per the instructs.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6403

Windows 6.0.6000
Internet Explorer 8.0.6001.18882

4/23/2011 11:06:04 AM
mbam-log-2011-04-23 (11-06-04).txt

Scan type: Quick scan
Objects scanned: 193714
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


One more thing, I just took off McAfee. I didn;'t see that instruct before.
 
I was working with dslreports, but they gave up and told me to reformat
>>
http://www.broadbandreports.com/forum/r25761660-Here-are-my-required-steps~start=20

They didn't give up! They told you that was what you needed to do for your badly infected system.

As far as I'm concerned, you have already gotten help for this problem in another forum. Considering you were still getting active help there on 4/24, you should not have started a thread here on 4/23 expecting us to do magic and find a solution you liked better!

This thread is closed.
 
Status
Not open for further replies.
Back