Help!

Google Search Hijack

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs RSS
Next:  Defining Diversity  
Author Message
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Sat May 02, 2009 3:13 am    Post subject: Google Search Hijack
Hello and thank you for your time and help.

I have been having issues with googe search results being hijacked and redirected to a different site. It seems as if this is a common problem lately so let me know if you would like any additional information regarding this problem.

One other thing that may or may not be related (and please forgive me if it is not related) is that my memory card reader isn't reading my memory cards. I did update the drivers, but I can't read flash usb sticks either.

Here is my Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:35 AM, on 05/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Documents and Settings\Client\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [PixelInstall] 
O4 - HKLM\..\RunOnce: [Reboot] 
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DOpus] C:\Program Files\GPSoftware\Directory Opus\dopus.exe
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\se3mwjv7.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/...eb_site
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\dezifamu.dll c:\windows\system32\ c:\windows\system32\japanupa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9951 bytes
Back to top
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Sat May 02, 2009 3:14 am    Post subject: Malwarebytes Log
Malwarebytes' Anti-Malware 1.36
Database version: 2066
Windows 5.1.2600 Service Pack 3

05/01/2009 5:19:27 PM
mbam-log-2009-05-01 (17-19-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 163244
Time elapsed: 34 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
Back to top
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Sat May 02, 2009 3:15 am    Post subject: Superanti spyware log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/01/2009 at 06:15 PM

Application Version : 4.26.1002

Core Rules Database Version : 3874
Trace Rules Database Version: 1822

Scan type : Complete Scan
Total Scan Time : 00:44:55

Memory items scanned : 552
Memory threats detected : 0
Registry items scanned : 6208
Registry threats detected : 7
File items scanned : 25009
File threats detected : 1

Trojan.Sino-PWS/Gen
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BA40A2-74F0-42BD-F434-12345A2C8953}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2BA40A2-74F0-42BD-F434-12345A2C8953}

Rootkit.Agent/Gen-Rustock
HKLM\system\controlset001\services\ovfsthwwkikbcjxorncyciqxexymdtebcopsex
C:\WINDOWS\SYSTEM32\DRIVERS\OVFSTHRIGABVFBXBQFPCYHRKPRPFFBYULBDRBV.SYS
HKLM\system\controlset004\services\ovfsthwwkikbcjxorncyciqxexymdtebcopsex

Rogue.Component/Trace
HKU\S-1-5-21-1941580229-3488693924-3744079148-1006\Software\Microsoft\FIAS4057

Trojan.Downloader-Gen/Temp
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#Windows Resurections [ C:\WINDOWS\TEMP\se3mwjv7.exe ]
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#Windows Resurections [ C:\WINDOWS\TEMP\se3mwjv7.exe ]
Back to top
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Sat May 02, 2009 3:16 am    Post subject: Panda Scan
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-05-01 23:54:53
PROTECTIONS: 2
MALWARE: 3
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.5 Yes Yes
AntiVir Desktop 9.0.1.26 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\ovfsthaqdtccpwfpgqvfsixtnafqurhtisecqs.dll
05466532 Adware/SystemGuard2009 Adware No 0 Yes No C:\WINDOWS\system32\ovfsthnhfgmpxtovnwtmidtkdgjfnfmxowtrxe.dll
05484535 Adware/SystemGuard2009 Adware No 0 Yes No C:\WINDOWS\system32\ovfsthjgvfyxetkvwyiutjioedemtgnyrdysjc.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Sat May 02, 2009 9:36 am    Post subject:
Welcome to Lockergnome.

Did you tell SUPERAntiSpyware to remove everything it found?

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\RunOnce: [PixelInstall] 
O4 - HKLM\..\RunOnce: [Reboot] 
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\se3mwjv7.exe (User 'SYSTEM')
O20 - AppInit_DLLs: C:\WINDOWS\system32\dezifamu.dll c:\windows\system32\ c:\windows\system32\japanupa.dll

Download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Processes
    explorer
    :Files
    C:\WINDOWS\TEMP\se3mwjv7.exe
    C:\WINDOWS\system32\dezifamu.dll
    c:\windows\system32\japanupa.dll
    C:\WINDOWS\system32\ovfsthaqdtccpwfpgqvfsixtnafqurhtisecqs.dll
    C:\WINDOWS\system32\ovfsthnhfgmpxtovnwtmidtkdgjfnfmxowtrxe.dll
    C:\WINDOWS\system32\ovfsthjgvfyxetkvwyiutjioedemtgnyrdysjc.dll
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.

  • Click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
Back to top
AIM Address Yahoo Messenger
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Sat May 02, 2009 2:21 pm    Post subject:
Thank you very much for your speedy reply. You are awesome!
I did tell SUPERanti spyware to remove everything it found. I tried my best to follow the instructions tutorial to the letter. (Thank you for it as well, it was very easy to follow).

This is the first log, I am going to start the next step after I post this.



========== PROCESSES ==========
Unable to kill process: explorer
========== FILES ==========
File/Folder C:\WINDOWS\TEMP\se3mwjv7.exe not found.
File/Folder C:\WINDOWS\system32\dezifamu.dll not found.
File/Folder c:\windows\system32\japanupa.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthaqdtccpwfpgqvfsixtnafqurhtisecqs.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthnhfgmpxtovnwtmidtkdgjfnfmxowtrxe.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthjgvfyxetkvwyiutjioedemtgnyrdysjc.dll not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Client\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_10c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_740.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\TMP00000091DF7B510BD0556048 scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05022009_121326

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_10c.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_740.dat not found!
File C:\WINDOWS\temp\TMP00000091DF7B510BD0556048 not found!
Back to top
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Sat May 02, 2009 2:33 pm    Post subject: Question
I have one quick question before I run the combofix program.

I am trying to install it, and I closed what I thought was all the anti virus software I have, but I get a pop up asking me to close AVG Anti-Virus Free, but it is not in my system tray.
I have several processes running that have avg in them in Windows Task Manager, but I didn't want to kill processes that might not be related to the correct program.
Can you help me with this please whenever you have time. I will be back tomorrow so don't make me high priority if you have a busy day ahead of you.
I don't mind listing all the processes that have avg in them if it makes it easier as well.

Thank you very much.
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Sun May 03, 2009 9:22 am    Post subject:
You may proceed to run ComboFix even with AVG running. Ignore the message in this case as it doesn't seem to interfere with the fix.
Back to top
AIM Address Yahoo Messenger
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Mon May 04, 2009 3:18 pm    Post subject: Combo fix log
Thank you very much for all of your help.

Here is my combo fix log:

ComboFix 09-05-02.4 - Client 05/04/2009 13:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.453 [GMT -6:00]
Running from: c:\documents and settings\Client\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lmppcsetup.exe
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-02 18:13 . 2009-05-02 18:13 -------- d-----w C:\_OTMoveIt
2009-05-02 08:04 . 2009-05-02 08:04 -------- d-----w c:\program files\Deqq
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\documents and settings\Client\Application Data\SUPERAntiSpyware.com
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-01 14:54 . 2008-06-19 22:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-01 14:53 . 2009-05-01 14:53 -------- d-----w c:\program files\Panda Security
2009-04-30 22:53 . 2009-04-30 22:54 -------- d-----w C:\Rooter$
2009-04-30 13:47 . 2009-04-30 13:47 -------- d-----w c:\program files\ERUNT
2009-04-30 13:11 . 2009-05-01 20:27 -------- d-----w c:\program files\SpywareBlaster
2009-04-30 13:00 . 2009-04-30 22:34 43040 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-30 13:00 . 2009-04-30 22:34 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-30 12:55 . 2009-04-30 13:43 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-30 12:55 . 2009-04-30 13:43 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-30 12:54 . 2009-04-30 12:54 -------- d-----w c:\documents and settings\Client\Local Settings\Application Data\Downloaded Installations
2009-04-30 12:50 . 2009-04-30 12:51 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-04-29 05:11 . 2009-04-07 03:46 161816 ----a-w c:\windows\RegGenieOnUninstall.exe
2009-04-29 05:11 . 2009-04-29 05:20 -------- d-----w c:\program files\RegGenie
2009-04-29 05:01 . 2009-04-29 05:01 -------- d-----w c:\documents and settings\Client\Application Data\Uniblue
2009-04-29 04:25 . 2009-04-29 23:09 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-29 04:25 . 2009-04-29 04:25 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-29 04:25 . 2009-04-29 04:25 -------- d-----w c:\program files\Avira
2009-04-29 03:48 . 2009-04-29 03:48 -------- d-----w c:\documents and settings\Client\Application Data\Malwarebytes
2009-04-29 03:48 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 03:47 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 03:47 . 2009-04-29 03:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 03:47 . 2009-04-29 03:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 03:08 . 2009-04-29 03:32 -------- d-----w c:\windows\system32\NtmsData
2009-04-29 02:56 . 2009-05-01 12:58 -------- d-----w C:\VundoFix Backups
2009-04-29 02:22 . 2009-04-29 02:22 -------- d-----w c:\program files\CCleaner
2009-04-29 01:01 . 2009-05-02 06:06 -------- d--h--w C:\$AVG8.VAULT$
2009-04-29 00:53 . 2009-05-02 15:56 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 00:53 . 2009-05-02 15:55 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 00:53 . 2009-05-02 15:56 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 00:52 . 2009-05-04 18:48 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-29 00:52 . 2009-04-30 12:45 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-29 00:50 . 2009-04-29 00:52 -------- d-----w c:\program files\AVG
2009-04-26 08:58 . 2009-05-01 23:23 43 ----a-w c:\windows\system32\ovfsthiriydvyepmnyxibactaqvobatnhafeyn.dat
2009-04-26 08:57 . 2009-05-02 00:23 100520 ----a-w c:\windows\system32\ovfsthqpqlymqgexkjouqdspoqjdskklvvscvd.dat
2009-04-25 17:58 . 2009-04-25 17:58 -------- d-----w c:\windows\system32\scripting
2009-04-25 17:58 . 2009-04-25 17:58 -------- d-----w c:\windows\l2schemas
2009-04-25 17:58 . 2009-04-25 17:58 -------- d-----w c:\windows\system32\en
2009-04-25 17:58 . 2009-04-25 17:58 -------- d-----w c:\windows\system32\bits
2009-04-25 17:53 . 2009-04-25 17:53 -------- d-----w c:\windows\ServicePackFiles
2009-04-24 21:29 . 2009-04-24 21:29 -------- d-----w c:\documents and settings\Client\Application Data\Deqq.6E12BA9B5579BABF8D4BCA34B1BCCDED81CFF4D9.1
2009-04-24 18:41 . 2009-04-24 18:41 -------- d-----w c:\program files\Fiddler2
2009-04-16 03:30 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 03:30 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 20:00 . 2009-04-10 20:00 -------- d-----w c:\program files\iPod
2009-04-10 20:00 . 2009-04-10 20:00 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 20:00 . 2009-04-10 20:00 -------- d-----w c:\program files\iTunes
2009-04-10 19:58 . 2009-04-10 19:58 -------- d-----w c:\program files\Bonjour
2009-04-10 19:57 . 2009-04-10 19:58 -------- d-----w c:\program files\QuickTime
2009-04-10 19:55 . 2009-03-26 21:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 19:09 . 2007-01-12 21:22 330 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job
2009-05-04 19:08 . 2009-02-28 20:20 -------- d-----w c:\program files\DNA
2009-05-04 19:06 . 2007-01-25 20:29 12913 ----a-w c:\windows\system32\tablet.dat
2009-05-04 19:06 . 2004-08-07 13:19 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 18:21 . 2007-01-12 21:20 68136 ----a-w c:\documents and settings\Client\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 04:58 . 2007-01-12 23:22 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-05-02 00:21 . 2009-04-30 13:06 444 ----a-w c:\windows\Tasks\ParetoLogic Registration.job
2009-04-30 22:34 . 2009-04-30 13:00 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-30 22:34 . 2009-04-30 13:00 1652 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-26 07:46 . 2009-02-14 23:44 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-25 18:02 . 2004-08-07 13:12 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-10 20:00 . 2009-01-05 04:24 -------- d-----w c:\program files\Common Files\Apple
2009-04-04 02:24 . 2009-04-04 02:24 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-26 21:23 . 2009-01-05 04:24 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 22:32 . 2009-01-05 04:26 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 02:10 . 2007-01-08 19:02 -------- d-----w c:\program files\Common Files\Adobe
2009-03-18 02:09 . 2009-03-18 02:09 -------- d-----w c:\program files\Adobe Media Player
2009-03-18 02:01 . 2009-03-18 02:01 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-17 21:50 . 2009-03-17 21:50 454656 ----a-w c:\windows\system32\putty.exe
2009-03-09 03:00 . 2009-03-09 03:00 -------- d-----w c:\program files\ImgBurn
2009-03-08 19:22 . 2006-07-07 09:42 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 19:22 . 2009-03-08 19:22 -------- d-----w c:\program files\GPSoftware
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 08:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 22:57 . 2009-02-09 22:57 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-09 12:10 . 2004-08-04 08:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 08:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 08:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 08:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 08:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-28 321344]
"DOpus"="c:\program files\GPSoftware\Directory Opus\dopus.exe" [2009-03-06 7173616]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2009-03-06 280048]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-06 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Client\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-1-8 184320]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-1-25 114688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2009-03-06 714224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 15:56 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kurzweil Educational Systems\\Kurzweil 3000\\Kurzweil 3000.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-02 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-02 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-04-28 72944]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-05-02 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-04-06 88192]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-10-21 36352]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e4cc8d0-0c16-11de-a697-00170849d9fd}]
\Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Client\Application Data\Mozilla\Firefox\Profiles\rins1453.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 13:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????`_??????n??|?????? ??4B??????????????hB? ???`_?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3256)
c:\program files\Kurzweil Educational Systems\Kurzweil 3000\Apps\KESIBand.dll
c:\program files\GPSoftware\Directory Opus\dopushlp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\msdtc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\Tablet.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-04 13:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 19:19

Pre-Run: 6,549,508,096 bytes free
Post-Run: 6,441,242,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
273 --- E O F --- 2009-04-30 22:29
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Tue May 05, 2009 11:44 am    Post subject:
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
Quote:
File::
c:\windows\system32\ovfsthiriydvyepmnyxibactaqvobatnhafeyn.dat
c:\windows\system32\ovfsthqpqlymqgexkjouqdspoqjdskklvvscvd.dat

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?
Back to top
AIM Address Yahoo Messenger
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Tue May 05, 2009 2:11 pm    Post subject:
I ran the instructions that you gave me.

Google is still redirecting me to incorrect sites, but my memory card reader is now showing up in my computer again! That alone makes me very happy!

Here is the log:

ComboFix 09-05-02.4 - Client 05/05/2009 11:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.608 [GMT -6:00]
Running from: c:\documents and settings\Client\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Client\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

FILE ::
c:\windows\system32\ovfsthiriydvyepmnyxibactaqvobatnhafeyn.dat
c:\windows\system32\ovfsthqpqlymqgexkjouqdspoqjdskklvvscvd.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ovfsthiriydvyepmnyxibactaqvobatnhafeyn.dat
c:\windows\system32\ovfsthqpqlymqgexkjouqdspoqjdskklvvscvd.dat

.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-04 20:55 . 2009-05-04 20:55 -------- d-----w c:\program files\Deqq
2009-05-02 18:13 . 2009-05-02 18:13 -------- d-----w C:\_OTMoveIt
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\documents and settings\Client\Application Data\SUPERAntiSpyware.com
2009-05-01 23:27 . 2009-05-01 23:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-01 14:54 . 2008-06-19 22:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-01 14:53 . 2009-05-01 14:53 -------- d-----w c:\program files\Panda Security
2009-04-30 22:53 . 2009-04-30 22:54 -------- d-----w C:\Rooter$
2009-04-30 13:47 . 2009-04-30 13:47 -------- d-----w c:\program files\ERUNT
2009-04-30 13:11 . 2009-05-01 20:27 -------- d-----w c:\program files\SpywareBlaster
2009-04-30 13:00 . 2009-04-30 22:34 43040 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-30 13:00 . 2009-04-30 22:34 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-30 12:55 . 2009-04-30 13:43 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-30 12:55 . 2009-04-30 13:43 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-30 12:54 . 2009-04-30 12:54 -------- d-----w c:\documents and settings\Client\Local Settings\Application Data\Downloaded Installations
2009-04-30 12:50 . 2009-04-30 12:51 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-04-29 05:11 . 2009-04-07 03:46 161816 ----a-w c:\windows\RegGenieOnUninstall.exe
2009-04-29 05:11 . 2009-04-29 05:20 -------- d-----w c:\program files\RegGenie
2009-04-29 05:01 . 2009-04-29 05:01 -------- d-----w c:\documents and settings\Client\Application Data\Uniblue
2009-04-29 04:25 . 2009-04-29 23:09 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-29 04:25 . 2009-04-29 04:25 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-29 04:25 . 2009-04-29 04:25 -------- d-----w c:\program files\Avira
2009-04-29 03:48 . 2009-04-29 03:48 -------- d-----w c:\documents and settings\Client\Application Data\Malwarebytes
2009-04-29 03:48 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 03:47 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 03:47 . 2009-04-29 03:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 03:47 . 2009-04-29 03:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 03:08 . 2009-04-29 03:32 -------- d-----w c:\windows\system32\NtmsData
2009-04-29 02:56 . 2009-05-01 12:58 -------- d-----w C:\VundoFix Backups
2009-04-29 02:22 . 2009-04-29 02:22 -------- d-----w c:\program files\CCleaner
2009-04-29 01:01 . 2009-05-02 06:06 -------- d--h--w C:\$AVG8.VAULT$
2009-04-29 00:53 . 2009-05-02 15:56 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 00:53 . 2009-05-02 15:55 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 00:53 . 2009-05-02 15:56 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 00:52 . 2009-05-05 17:54 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-29 00:52 . 2009-04-30 12:45 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-29 00:50 . 2009-04-29 00:52 -------- d-----w c:\program files\AVG
2009-04-25 17:58 . 2009-04-25 17:58 -------- d-----w c:\windows\system32\scripting
2009-04-25 17:58 . 2009-04-25 17:58 -------- d-----w c:\windows\l2schemas
2009-04-25 17:58 . 2009-04-25 17:58 -------- d-----w c:\windows\system32\en
2009-04-25 17:58 . 2009-04-25 17:58 -------- d-----w c:\windows\system32\bits
2009-04-25 17:53 . 2009-04-25 17:53 -------- d-----w c:\windows\ServicePackFiles
2009-04-24 21:29 . 2009-04-24 21:29 -------- d-----w c:\documents and settings\Client\Application Data\Deqq.6E12BA9B5579BABF8D4BCA34B1BCCDED81CFF4D9.1
2009-04-24 18:41 . 2009-04-24 18:41 -------- d-----w c:\program files\Fiddler2
2009-04-16 03:30 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 03:30 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 20:00 . 2009-04-10 20:00 -------- d-----w c:\program files\iPod
2009-04-10 20:00 . 2009-04-10 20:00 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 20:00 . 2009-04-10 20:00 -------- d-----w c:\program files\iTunes
2009-04-10 19:58 . 2009-04-10 19:58 -------- d-----w c:\program files\Bonjour
2009-04-10 19:57 . 2009-04-10 19:58 -------- d-----w c:\program files\QuickTime
2009-04-10 19:55 . 2009-03-26 21:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 17:58 . 2004-08-07 13:19 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-05 08:02 . 2007-01-12 21:22 330 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job
2009-05-05 01:01 . 2009-04-30 13:06 444 ----a-w c:\windows\Tasks\ParetoLogic Registration.job
2009-05-04 19:08 . 2009-02-28 20:20 -------- d-----w c:\program files\DNA
2009-05-04 19:06 . 2007-01-25 20:29 12913 ----a-w c:\windows\system32\tablet.dat
2009-05-02 18:21 . 2007-01-12 21:20 68136 ----a-w c:\documents and settings\Client\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 04:58 . 2007-01-12 23:22 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-30 22:34 . 2009-04-30 13:00 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-30 22:34 . 2009-04-30 13:00 1652 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-26 07:46 . 2009-02-14 23:44 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-25 18:02 . 2004-08-07 13:12 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-10 20:00 . 2009-01-05 04:24 -------- d-----w c:\program files\Common Files\Apple
2009-04-04 02:24 . 2009-04-04 02:24 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-26 21:23 . 2009-01-05 04:24 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 22:32 . 2009-01-05 04:26 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 02:10 . 2007-01-08 19:02 -------- d-----w c:\program files\Common Files\Adobe
2009-03-18 02:09 . 2009-03-18 02:09 -------- d-----w c:\program files\Adobe Media Player
2009-03-18 02:01 . 2009-03-18 02:01 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-17 21:50 . 2009-03-17 21:50 454656 ----a-w c:\windows\system32\putty.exe
2009-03-09 03:00 . 2009-03-09 03:00 -------- d-----w c:\program files\ImgBurn
2009-03-08 19:22 . 2006-07-07 09:42 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 19:22 . 2009-03-08 19:22 -------- d-----w c:\program files\GPSoftware
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 08:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 22:57 . 2009-02-09 22:57 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-09 12:10 . 2004-08-04 08:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 08:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 08:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 08:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 08:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 08:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 08:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 08:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 08:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot RemoveThis @2009-05-04_19.15.36 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-28 321344]
"DOpus"="c:\program files\GPSoftware\Directory Opus\dopus.exe" [2009-03-06 7173616]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2009-03-06 280048]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-06 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Client\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-1-8 184320]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-1-25 114688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2009-03-06 714224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 15:56 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kurzweil Educational Systems\\Kurzweil 3000\\Kurzweil 3000.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-02 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-02 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-04-28 72944]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-05-02 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-04-06 88192]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-10-21 36352]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e4cc8d0-0c16-11de-a697-00170849d9fd}]
\Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Client\Application Data\Mozilla\Firefox\Profiles\rins1453.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 12:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????`_??????n??|?????? ??4B??????????????hB? ???`_?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-05-05 12:03
ComboFix-quarantined-files.txt 2009-05-05 18:03
ComboFix2.txt 2009-05-04 19:19

Pre-Run: 6,368,169,984 bytes free
Post-Run: 6,350,831,616 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
239 --- E O F --- 2009-04-30 22:29
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Thu May 07, 2009 11:53 am    Post subject:
Download GooredFix and save it to your Desktop. Double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

See if that fixes the redirect issue.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
Back to top
AIM Address Yahoo Messenger
suzdream



Joined: May 02, 2009
Posts: 9
PostPosted: Thu May 07, 2009 8:52 pm    Post subject: Fixed thank you very much
That seems to fix the redirect problem. Thank you very much. I appreciate you donating your time to help.


Take care and you may close the topic if you wish.





GooredFix v1.92 by jpshortstuff
Log created at 18:30 on 07/05/2009 running Option #2 (Client)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{FFFD5F5A-33C8-4B4E-87F6-CF5430AFDD5A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
Back to top
greyknight17



Joined: Feb 03, 2003
Posts: 5674

Location: Brooklyn, NY
PostPosted: Sat May 09, 2009 11:31 am    Post subject:
Glad that resolved the issue.

Topic locked since issue is resolved.
Back to top
AIM Address Yahoo Messenger
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> HijackThis Logs All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum