TechSpot

My other computer has Google redirect problem too

By bearone100
Aug 16, 2010
  1. i have posted the logs for my desk top that has google redirect problems now here are the logs for my net book with the same problem
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    =====================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x00000004

    Kernel Drivers (total 116):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF7A88000 \WINDOWS\system32\KDCOM.DLL
    0xF7998000 \WINDOWS\system32\BOOTVID.dll
    0xF7588000 klbg.sys
    0xF7459000 ACPI.sys
    0xF7A8A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7448000 pci.sys
    0xF7598000 isapnp.sys
    0xF799C000 compbatt.sys
    0xF79A0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7808000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF75A8000 MountMgr.sys
    0xF7429000 ftdisk.sys
    0xF79A4000 ACPIEC.sys
    0xF7B51000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF7810000 PartMgr.sys
    0xF75B8000 VolSnap.sys
    0xF734F000 iaStor.sys
    0xF75C8000 disk.sys
    0xF75D8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF732F000 fltMgr.sys
    0xF7317000 syscow32x.sys
    0xF75E8000 PxHelp20.sys
    0xF7300000 KSecDD.sys
    0xF7273000 Ntfs.sys
    0xF7246000 NDIS.sys
    0xF7818000 SaibIa32.sys
    0xF75F8000 SahdIa32.sys
    0xF722C000 Mup.sys
    0xF76C8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF5FE7000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xF5FD3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF5FAB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF5E00000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xF7900000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF5DDC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7908000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF76D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7910000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF5DAB000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7AC4000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF76E8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xF5D2F000 \SystemRoot\System32\Drivers\wdf01000.sys
    0xF76F8000 \SystemRoot\system32\DRIVERS\klmouflt.sys
    0xF7918000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF71E8000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF71E4000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7708000 \SystemRoot\system32\DRIVERS\klim5.sys
    0xF7BB9000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7718000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7180000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF5D18000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7728000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7738000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7920000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF5D07000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7748000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7928000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7930000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7758000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7AC6000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF5CE4000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF5C86000 \SystemRoot\system32\DRIVERS\update.sys
    0xF716C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF657D000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xA948F000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xA790F000 \SystemRoot\system32\drivers\sthda.sys
    0xA78EB000 \SystemRoot\system32\drivers\portcls.sys
    0xA947F000 \SystemRoot\system32\drivers\drmk.sys
    0xA78CF000 \SystemRoot\system32\drivers\AESTAud.sys
    0xAA191000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xA787E000 \SystemRoot\system32\DRIVERS\klif.sys
    0xA76A8000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
    0xA945F000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0xA8313000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
    0xF7B30000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xA7CF4000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B32000 \SystemRoot\System32\Drivers\Beep.SYS
    0xA7C7C000 \SystemRoot\System32\drivers\vga.sys
    0xF7B34000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7B36000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xA7C6C000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xA7C64000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xA7CE5000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA7168000 \??\C:\WINDOWS\system32\drivers\kl1.sys
    0xA7155000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA70FC000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA70D4000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA70AE000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xA708C000 \SystemRoot\System32\drivers\afd.sys
    0xA897B000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xA896B000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA895B000 \SystemRoot\System32\Drivers\SaibVd32.sys
    0xA6F85000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA6EED000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA7B1B000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA2B91000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA2EF7000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7840000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xA654D000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
    0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF6D7A000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA2ADC000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA3061000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA2A61000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA2870000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA2497000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA164B000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 44):
    0 System Idle Process
    4 System
    932 C:\WINDOWS\system32\smss.exe
    980 csrss.exe
    1004 C:\WINDOWS\system32\winlogon.exe
    1056 C:\WINDOWS\system32\services.exe
    1068 C:\WINDOWS\system32\lsass.exe
    1236 C:\WINDOWS\system32\svchost.exe
    1344 svchost.exe
    1420 C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
    1444 C:\WINDOWS\system32\svchost.exe
    1592 svchost.exe
    1668 svchost.exe
    1996 C:\WINDOWS\system32\spoolsv.exe
    2044 C:\Program Files\IDT\WDM\stacsv.exe
    336 svchost.exe
    924 C:\WINDOWS\explorer.exe
    640 C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
    672 C:\Program Files\Java\jre6\bin\jqs.exe
    740 C:\WINDOWS\system32\svchost.exe
    1640 C:\WINDOWS\system32\igfxtray.exe
    1688 C:\WINDOWS\system32\hkcmd.exe
    1724 C:\WINDOWS\system32\igfxpers.exe
    1760 C:\Program Files\HP\HPBTWD.exe
    1352 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1428 C:\Program Files\IDT\WDM\sttray.exe
    1788 C:\WINDOWS\system32\AESTFltr.exe
    1796 C:\WINDOWS\system32\igfxsrvc.exe
    1860 C:\Program Files\Java\jre6\bin\jusched.exe
    1868 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    1636 C:\WINDOWS\system32\ctfmon.exe
    180 C:\Program Files\uTorrent\uTorrent.exe
    428 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    724 C:\WINDOWS\system32\wuauclt.exe
    2472 C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
    2956 wmiprvse.exe
    2972 alg.exe
    3680 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    3912 C:\WINDOWS\system32\svchost.exe
    3004 C:\Program Files\Mozilla Firefox\firefox.exe
    3328 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
    1472 C:\Program Files\Mozilla Firefox\plugin-container.exe
    3532 C:\WINDOWS\system32\rundll32.exe
    2892 C:\Documents and Settings\Darren\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGHM160HI, Rev: HH100-15

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
     
  4. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Looks good :)
    Go on....
     
  5. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    ComboFix 10-08-17.01 - Darren 08/17/2010 14:38:37.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.631 [GMT -4:00]
    Running from: c:\documents and settings\Darren\My Documents\Downloads\ComboFix.exe
    AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}
    c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}\chrome.manifest
    c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}\chrome\content\_cfg.js
    c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}\chrome\content\overlay.xul
    c:\documents and settings\Darren\Local Settings\Application Data\{F8241C81-C34C-47ED-A1B1-86E8140914D6}\install.rdf

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
    .

    2010-08-16 15:18 . 2010-08-16 15:18 -------- d-----w- c:\documents and settings\Darren\Application Data\Malwarebytes
    2010-08-16 15:18 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-16 15:18 . 2010-08-16 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-16 15:18 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-16 15:18 . 2010-08-16 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-13 21:22 . 2010-06-21 15:27 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-13 21:22 . 2010-06-21 15:27 354304 ----a-w- c:\windows\system32\dllcache\srv.sys
    2010-08-13 21:21 . 2010-04-27 13:59 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-08-13 21:21 . 2010-04-27 13:59 2146304 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-08-13 21:21 . 2010-04-28 02:25 2189952 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-08-13 21:21 . 2010-04-27 13:05 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-08-13 21:21 . 2010-04-27 13:05 2024448 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-08-13 21:21 . 2010-04-27 13:05 2066816 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-08-12 04:02 . 2010-06-18 13:36 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
    2010-08-08 16:43 . 2010-08-08 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-08 16:43 . 2010-08-08 16:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-28 00:44 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-27 06:30 . 2010-07-27 06:30 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
    2010-07-26 19:50 . 2010-07-30 14:55 97549 ----a-w- c:\windows\system32\drivers\klick.dat
    2010-07-26 19:50 . 2010-07-30 14:55 113933 ----a-w- c:\windows\system32\drivers\klin.dat
    2010-07-26 19:49 . 2010-08-17 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-07-26 19:49 . 2010-07-26 19:49 -------- d-----w- c:\program files\Kaspersky Lab
    2010-07-26 19:47 . 2010-07-26 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-07-26 16:49 . 2010-07-26 18:00 -------- d-----w- c:\program files\Enigma Software Group
    2010-07-26 16:49 . 2010-07-26 16:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-07-23 14:45 . 2010-07-23 14:45 -------- d--h--w- c:\windows\PIF
    2010-07-20 19:15 . 2010-07-20 15:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-07-20 15:23 . 2010-07-20 15:23 -------- d-----w- c:\documents and settings\Darren\Local Settings\Application Data\Sunbelt Software
    2010-07-20 15:16 . 2010-07-26 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-17 18:48 . 2010-05-26 13:36 -------- d-----w- c:\documents and settings\Darren\Application Data\uTorrent
    2010-08-16 22:06 . 2010-06-01 19:17 -------- d-----w- c:\documents and settings\Darren\Application Data\vlc
    2010-08-14 18:05 . 2010-05-26 04:57 -------- d-----w- c:\program files\Microsoft Works
    2010-08-13 21:22 . 2010-05-26 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-07-26 21:41 . 2008-04-15 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
    2010-07-20 15:12 . 2010-06-02 18:35 148 ----a-w- c:\documents and settings\Darren\Application Data\wklnhst.dat
    2010-06-30 12:31 . 2010-06-30 12:31 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2010-08-12 04:06 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 18:17 . 2010-06-23 18:17 -------- d-----w- c:\program files\AVG
    2010-06-23 13:44 . 2010-06-23 13:44 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-17 14:03 . 2010-06-17 14:03 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2010-07-28 00:44 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2010-06-14 07:41 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-06 16:22 . 2010-05-26 05:09 40576 ----a-w- c:\documents and settings\Darren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-26 13:33 . 2010-05-26 13:33 0 -c--a-w- c:\windows\nsreg.dat
    2010-05-26 05:08 . 2010-05-26 05:08 259584 ----a-w- c:\windows\system32\bcdedit.exe
    2010-05-26 05:07 . 2010-05-26 05:07 91376 ----a-w- c:\windows\system32\bcmwlcoi.dll
    2010-05-26 05:07 . 2009-06-02 00:57 1746432 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-31 322352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
    "HP BTW Detect Program"="c:\program files\HP\HPBTWD.exe" [2009-03-30 319488]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-06-29 458844]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-06 737280]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 148888]
    "WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP]
    2009-07-14 10:54 589104 ----a-w- c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2010-05-31 23:42 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
    R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8/11/2009 9:51 PM 21488]
    R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8/11/2009 9:51 PM 15856]
    R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [7/2/2009 2:10 AM 103792]
    R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8/11/2009 9:51 PM 25584]
    R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 10:05 PM 457200]
    R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [7/9/2009 7:08 AM 199152]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/11/2009 9:37 PM 113664]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
    S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
    S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x86.sys --> c:\windows\system32\DRIVERS\l1c51x86.sys [?]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/11/2009 9:35 PM 160256]
    S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-17 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
    - c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 11:09]

    2010-08-17 c:\windows\Tasks\USER_FEED_SYNCHRONIZATION-{63A60B05-A1C1-4DB5-B4E4-4B8EA50E06C9}.JOB
    - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
    FF - ProfilePath - c:\documents and settings\Darren\Application Data\Mozilla\Firefox\Profiles\ij5igcd4.default\
    FF - prefs.js: browser.startup.homepage - www.google.ca
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-17 14:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4004)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\idt\wdm\STacSV.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\Hewlett-Packard\Shared\hpqToaster.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-17 14:51:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-17 18:51

    Pre-Run: 116,568,952,832 bytes free
    Post-Run: 116,486,119,424 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

    - - End Of File - - BFECB752250226CAC945A3541DE36ABD
     
  6. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    How is redirection?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    OTL Extras logfile created on: 8/17/2010 6:26:13 PM - Run 1
    OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Darren\My Documents\Downloads
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,015.00 Mb Total Physical Memory | 611.00 Mb Available Physical Memory | 60.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.05 Gb Total Space | 108.48 Gb Free Space | 72.78% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: PC115526378102
    Current User Name: Darren
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htafile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring" = 1
    "" =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
    "C:\Program Files\Hewlett-Packard\HP QuickSync\jre\bin\javaw.exe" = C:\Program Files\Hewlett-Packard\HP QuickSync\jre\bin\javaw.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
    "C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:ĀµTorrent -- (BitTorrent, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0517F875-BBB2-4812-A63E-733B33CEF215}" = Roxio Instant Restore
    "{10385C4F-A6B2-4913-975D-6828928222EC}" = HP User Guides 0165
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 14
    "{2B682751-E749-441C-A4B3-1F538E26E56E}" = Roxio Instant Restore Recovery Disk
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
    "{32F9BACF-FCD3-4B6A-AD85-255A449B6FA5}" = Roxio BackOnTrack
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = HP Webcam-50
    "{54CC7901-804D-4155-B353-21F0CC9112AB}" = HP Wireless Assistant
    "{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
    "{69DAC00A-7665-4E9B-B441-093D40736429}" = HP BatteryCheck 2.10 A2
    "{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{87A83C6F-F53C-448A-B078-FF00E3EAEB29}" = Roxio Disaster Recovery
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{909B62B0-8ACA-4061-A83B-09CAEF609619}" = MSXML 6.0 Parser
    "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software
    "{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
    "{AC76BA86-7AD7-FFFF-7B44-A91000000001}" = Adobe Reader 9.1 MUI
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
    "{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
    "{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
    "{EEA95E6C-6847-49BE-83C9-ED92D8E18983}" = HP QuickSync
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "HOMESTUDENTR" = Microsoft Office Home and Student 2007
    "ie8" = Windows Internet Explorer 8
    "InstallWIX_{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "uTorrent" = ĀµTorrent
    "VLC media player" = VLC media player 1.0.5
    "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    "WildTangent hp Master Uninstall" = HP Games
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 8/2/2010 9:33:35 PM | Computer Name = PC115526378102 | Source = RstMgr | ID = 0
    Description =

    Error - 8/4/2010 9:21:31 AM | Computer Name = PC115526378102 | Source = RstMgr | ID = 0
    Description =

    Error - 8/4/2010 9:21:31 AM | Computer Name = PC115526378102 | Source = RstMgr | ID = 0
    Description =

    Error - 8/4/2010 9:33:38 AM | Computer Name = PC115526378102 | Source = Application Error | ID = 1000
    Description = Faulting application gooredfix.exe, version 2.0.0.687, faulting module
    ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

    Error - 8/4/2010 9:38:23 AM | Computer Name = PC115526378102 | Source = RstMgr | ID = 0
    Description =

    Error - 8/4/2010 9:38:23 AM | Computer Name = PC115526378102 | Source = RstMgr | ID = 0
    Description =

    Error - 8/4/2010 9:50:31 AM | Computer Name = PC115526378102 | Source = RstMgr | ID = 0
    Description =

    Error - 8/4/2010 9:50:31 AM | Computer Name = PC115526378102 | Source = RstMgr | ID = 0
    Description =

    Error - 8/4/2010 9:53:19 AM | Computer Name = PC115526378102 | Source = Application Error | ID = 1000
    Description = Faulting application gooredfix.exe, version 2.0.0.687, faulting module
    ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

    Error - 8/16/2010 11:10:50 AM | Computer Name = PC115526378102 | Source = Application Error | ID = 1000
    Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
    teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

    [ System Events ]
    Error - 8/17/2010 2:28:51 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7023
    Description = The System Restore Service service terminated with the following error:
    %%2

    Error - 8/17/2010 2:28:54 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AliIde IntelIde PCIIde ViaIde

    Error - 8/17/2010 2:48:59 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the BOTService service.

    Error - 8/17/2010 2:49:03 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AliIde IntelIde PCIIde ViaIde

    Error - 8/17/2010 2:49:34 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the BOTService service.

    Error - 8/17/2010 5:57:47 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the BOTService service.

    Error - 8/17/2010 5:57:49 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AliIde IntelIde PCIIde ViaIde

    Error - 8/17/2010 6:20:08 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the BOTService service.

    Error - 8/17/2010 6:20:10 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AliIde IntelIde PCIIde ViaIde

    Error - 8/17/2010 6:20:41 PM | Computer Name = PC115526378102 | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the BOTService service.


    < End of report >



    SRV - [2009/06/29 16:44:38 | 000,221,266 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
    SRV - [2009/06/02 22:05:58 | 000,457,200 | ---- | M] () [Auto | Running] -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe -- (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269)
     
  8. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    the logs were too long so i downloaded them
     

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 52,895   +344

     
  10. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    i havent been able to try it because i had to do a restore on the desk top and its taking all my time it looks like the redirect might be gone but i will know better when i have more time to look
     
  11. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    You used System Restore?
     
  12. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    yes my dest top wouldnt do any thing so had to do a restore with the cd to get it working again now im going throught the 8 steps on the desk top again
     
  13. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    You should have told me first, but what's done, it's done.
    Go on....
     
  14. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    i had to dothe restore on the desk top not my netbook the netbook is the one we are workig on here
     
  15. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Oh....LOL
    Can you check for redirection issue then...
     
  16. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    because of the problems i had with both computers <the desktop is fixed thank you very much > i have started over with the netbook i am rescaning and reposting from the start
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4449

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/19/2010 3:54:44 PM
    mbam-log-2010-08-19 (15-54-44).txt

    Scan type: Quick scan
    Objects scanned: 125708
    Time elapsed: 9 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  17. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    heres the newist one
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    How is redirection?

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  19. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    here is the log for combofix
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 52,895   +344

     
  21. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    the redirection looks like its gone
     
  22. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Good :)

    Combofix log is clean....

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  23. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    otl only gave me one log
     
  24. bearone100

    bearone100 TS Rookie Topic Starter Posts: 54

    here it is
     

    Attached Files:

    • OTL.Txt
      File size:
      110.8 KB
      Views:
      1
  25. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    What happened to Kaspersky?
    I don't see it running.

    =========================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      [2010/06/23 14:17:22 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • IMPORTANT! UN-check Remove found threats
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...