Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirected Browser and other maladies

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Redirected Browser and other maladies

Unread postby scabstermooch » January 12th, 2010, 5:07 am

Hello,

I am having some problems with internet surfing. My browser keeps being redirected to random sites when I either do a search, or when I have clicked a link to go to another website. Sometimes, a new tab to a random website appears, other times, I get an ad with a "skip this advertisement" button that I need to click before I get directed to the page I wanted. I hope someone can help.

This is my HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:04, on 12/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\hp001\.COMMgr\complmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: gwprimawega - {94a8317b-0428-709f-1638-7f2a4035a795} - C:\Windows\system32\_-VF-HD_.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [{2E9D28CD-006A-4969-AB92-63DD74B4CA59}] "C:\Program Files\T-Mobile\Web'n'Walk Accelerator\bmoc" -d
O4 - HKLM\..\Run: [MCE CI Console] C:\Program Files\MCECIConsole\MCECIConsole.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [COM+ Manager] "C:\Users\hp001\.COMMgr\complmgr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: GB-PVR Tray.lnk = C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\Windows\system32\bmwebcfg.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
O23 - Service: Google Update Service (gupdate1c9a03e2e8e1de0) (gupdate1c9a03e2e8e1de0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12778 bytes


Thank you.

Regards,

SM
scabstermooch
Active Member
 
Posts: 8
Joined: January 12th, 2010, 4:58 am
Advertisement
Register to Remove

Re: Redirected Browser and other maladies

Unread postby MWR 3 day Mod » January 16th, 2010, 9:07 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Redirected Browser and other maladies

Unread postby jmw3 » January 23rd, 2010, 5:21 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:
  • Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please do not wrap the logs in quote or code tags, as it makes them harder to read. Just copy/paste the contents of any logs requested directly into your reply.

Thanks

Disable Spybot's TeaTimer 1.5 & 1.6
  • If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol)
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy
  • Click on Mode > Advanced Mode. When it prompts you, click Yes
  • On the left hand side, click on Tools
  • Check this box if it is not yet ticked: Resident
  • You will notice that Resident is now added under Tools. Click on Resident
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active
  • Exit Spybot Search & Destroy
  • Restart your computer for the changes to take effect
Leave TeaTimer disabled until we're done here.

Disable Windows Defender until the computer is clean
Microsoft Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean, then it can be re-enabled.
  • Open Windows Defender
  • Select Tools then Options
  • Scroll down to Real Time Protection Options & uncheck Use real-time protection (recommended)
  • Select Save
Don't forget to re-enable it, when your computer is clean.

DeFogger
Download DeFogger by jpshortstuff from here & save it to your desktop.
  • Right click DeFogger then choose Run as Administrator to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Right click the .exe file then choose Run as Administrator to run the program. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirected Browser and other maladies

Unread postby scabstermooch » January 25th, 2010, 4:10 pm

Thanks for the help. These are the logs, as requested.

DDS.txt
DDS (Ver_09-12-01.01) - NTFSx86
Run by hp001 at 20:02:02.24 on 25/01/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.65.1033.18.2551.1514 [GMT 1:00]

AV: avast! antivirus 4.8.1296 [VPS 090104-0] *On-access scanning enabled* (Updated)

{7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-

8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1296 [VPS 090104-0] *enabled* (Updated) {7591DB91-41F0-48A3-

B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\bmwebcfg.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\T-Mobile\Web'n'Walk Accelerator\bmoc.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\T-Mobile\Web'n'Walk Accelerator\bmctl.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\WerCon.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\hp001\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_SG&c=none&bd=smb&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?

TYPE=3&tp=iehome&locale=EN_SG&c=none&bd=smb&pf=laptop
uInternet Settings,ProxyServer = proxy.singnet.com.sg:8080
mWinlogon: Userinit=c:\windows\system32\userinit.exe,userinit.exe
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1

\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program

files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [Sidebar] c:\program files\windows sidebar\Sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SRS Audio Sandbox] "c:\program files\srs labs\audio sandbox\SRSSSC.exe" /hideme
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless

Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [{2E9D28CD-006A-4969-AB92-63DD74B4CA59}] "c:\program files\t-mobile\web'n'walk

accelerator\bmoc" -d
mRun: [MCE CI Console] c:\program files\mceciconsole\MCECIConsole.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile

Connect\Bin\MobileConnect.exe /silent
StartupFolder: c:\users\hp001\appdata\roaming\micros~1\windows\startm~1

\programs\startup\gb-pvr~1.lnk - c:\program files\devnz\gbpvr\GBPVRTray.exe
StartupFolder: c:\users\hp001\appdata\roaming\micros~1\windows\startm~1

\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk -

c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dvdche~1.lnk -

c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk -

c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winman~1.lnk -

c:\program files\pc-tv\winmanager\WinManager.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} -

c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} -

c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\progra~1\spybot~1\SDHelper.dll
LSP: bmnet.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -

hxxp://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} -

hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common

files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
IFEO: chrome.exe - c:\program files\internet explorer\iexplore.exe
IFEO: navigator.exe - c:\program files\internet explorer\iexplore.exe
IFEO: opera.exe - c:\program files\internet explorer\iexplore.exe
IFEO: safari.exe - c:\program files\internet explorer\iexplore.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\hp001\appdata\roaming\mozilla\firefox\profiles\f3t99l33.lee\
FF - prefs.js: browser.search.selectedEngine - Amazon.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\NPSWF32.dll
FF - plugin: c:\users\hp001

\appdata\roaming\mozilla\firefox\profiles\f3t99l33.lee\extensions\{195a3098-0bd5-4e90-

ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-

08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-27 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-27 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-10-27 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe

[2008-10-27 138680]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search &

destroy\SDWinSec.exe [2010-1-11 1153368]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile

connect\bin\VMCService.exe [2009-4-20 9216]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4

\ashMaiSv.exe [2008-10-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4

\ashWebSv.exe [2008-10-27 352920]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32

Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-8-13

110592]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [2009-8-13

105344]
S2 gupdate1c9a03e2e8e1de0;Google Update Service (gupdate1c9a03e2e8e1de0);c:\program

files\google\update\GoogleUpdate.exe [2009-3-8 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k

LocalServiceAndNoImpersonation [2008-5-28 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys

[2009-4-9 7680]
S3 tiltmouse;Paten HID USB Filter Driver1;c:\windows\system32\drivers\MUsbFltr.sys [2008

-3-24 9600]

=============== Created Last 30 ================

2010-01-25 18:55:14 188 ----a-w- c:\users\hp001\defogger_reenable
2010-01-21 21:06:32 268 ---ha-w- C:\sqmdata00.sqm
2010-01-21 21:06:32 244 ---ha-w- C:\sqmnoopt00.sqm
2010-01-17 11:39:17 0 d-----w- c:\programdata\Vodafone
2010-01-16 23:24:24 675152 ----a-w- c:\windows\system32\gpprefcl.dll
2010-01-16 23:24:22 28274 ----a-w- c:\windows\system32\wbem\polprocl.mof
2010-01-16 23:20:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 23:20:52 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-16 23:20:46 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-01-13 07:08:39 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-01-13 07:08:38 270848 ----a-w- c:\windows\system32\schannel.dll
2010-01-12 17:49:22 0 d-sh--w- c:\windows\system32\lowsec
2010-01-12 08:54:41 0 d-----w- c:\program files\Trend Micro
2010-01-11 22:10:27 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-11 22:10:27 0 d-----w- c:\program files\Spybot - Search &

Destroy
2010-01-10 22:21:24 0 d-----w- c:\program files\Enigma Software Group
2010-01-10 21:52:05 0 d-sh--w- c:\users\hp001\.COMMgr
2010-01-05 18:04:51 0 d-----w- c:\programdata\SRS Labs
2010-01-05 18:04:23 47360 ----a-w- c:\windows\system32

\drivers\Surroundhp_kern_i386.sys
2010-01-05 18:04:23 47104 ----a-w- c:\windows\system32

\drivers\tshd4_kern_i386.sys
2010-01-05 18:04:23 42112 ----a-w- c:\windows\system32

\drivers\csiidecoder_kern_i386.sys
2010-01-05 18:04:23 39808 ----a-w- c:\windows\system32

\drivers\SRS_SSCFilter_i386.sys
2010-01-05 18:04:23 32000 ----a-w- c:\windows\system32

\drivers\wowhd_kern_i386.sys
2009-12-31 13:36:20 43 ----a-w- c:\windows\PCDNSetting.ini
2009-12-31 13:32:40 140 ----a-w- c:\windows\powerlist.ini
2009-12-31 13:32:39 60 ----a-w- c:\windows\MediaList.ini
2009-12-31 13:27:09 0 d-----w- c:\users\hp001\appdata\roaming\ppstream
2009-12-31 13:27:07 753 ----a-w- c:\windows\powerplayer.ini
2009-12-31 13:27:07 1276 ----a-w- c:\windows\psnetwork.ini
2009-12-31 13:27:05 0 d-----w- c:\program files\PPStream
2009-12-29 07:41:56 242347412 ----a-w- c:\windows\MEMORY.DMP
2009-12-27 14:14:25 0 d-----w- c:\program files\Garmin GPS Plugin
2009-12-27 14:02:53 0 d-----w- c:\programdata\GARMIN
2009-12-27 01:18:38 0 d-----w- c:\program files\Garmin

==================== Find3M ====================

2010-01-17 11:40:04 86016 ----a-w- c:\windows\inf\infpub.dat
2010-01-17 11:40:04 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-16 23:30:10 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-14 10:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-15 17:37:02 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-15 17:36:48 0 ---ha-w- c:\windows\system32

\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-12-15 17:35:57 0 ---ha-w- c:\windows\system32

\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2008-10-27 03:29:46 174 --sha-w- c:\program files\desktop.ini
2007-04-25 23:53:46 25088 ----a-w- c:\windows\inf\tap0901.sys
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 13:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
2009-07-05 02:02:37 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-07-05 02:02:37 16384 --sha-w- c:\windows\temp\history\history.ie5

\index.dat
2009-07-05 02:02:37 32768 --sha-w- c:\windows\temp\temporary internet

files\content.ie5\index.dat

============= FINISH: 20:06:01.51 ===============
Last edited by scabstermooch on January 25th, 2010, 4:19 pm, edited 1 time in total.
scabstermooch
Active Member
 
Posts: 8
Joined: January 12th, 2010, 4:58 am

Re: Redirected Browser and other maladies

Unread postby scabstermooch » January 25th, 2010, 4:12 pm

Attach.txt
-------
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume1
Install Date: 13/10/2007 15:46:06
System Uptime: 25/01/2010 19:57:05 (1 hours ago)

Motherboard: Hewlett-Packard | | 30D5
Processor: Intel(R) Core(TM) Duo CPU T2300 @ 1.66GHz | U10 | 1667/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 73 GiB total, 14.113 GiB free.
D: is CDROM (UDF)
E: is FIXED (NTFS) - 2 GiB total, 1.318 GiB free.
G: is CDROM (CDFS)
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0086
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #34
PNP Device ID: ROOT\*ISATAP\0086
Service: tunnel

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia 6300
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6300
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


µTorrent
2007 Microsoft Office system
32 Bit HP CIO Components Installer
AAC Decoder
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
allTunes
Apple Software Update
Application Installer 4.00.B13
AutoUpdate
avast! Antivirus
AVIcodec (remove only)
BTOffer
BufferChm
Business Contact Manager for Outlook 2007 SP2
Chris' OFP Script Editor
Colonization for Windows - http://www.classic-gaming.net
Conexant HD Audio
Copy
D-i-v-X - AV Codec Pack (Pro) 1.1.0
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DigitalTV
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DivXLand Media Subtitler
DJ_AIO_03_F2200_ProductContext
DJ_AIO_03_F2200_Software
DJ_AIO_03_F2200_Software_Min
DocProc
DocProcQFolder
ESU for Microsoft Vista
European Matrix Test
F2200
F2200_Help
ffdshow [rev 610] [2006-12-01]
Foxit PDF Editor
Foxit Reader
Garmin MapSource
Garmin TOPO Deutschland v3
Garmin Trip and Waypoint Manager v5
Garmin USB Drivers
GB-PVR
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
Google Earth
Google Update Helper
H.264 Decoder
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Deskjet F2200 All-In-One Driver Software 10.0 Rel .3
HP Doc Viewer
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Imaging Device Functions 10.0
HP Notebook Accessories Product Tour
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.20 F1
HP Smart Web Printing
HP Update
HP User Guides 0077
HP Wireless Assistant
HPAsset component for HP Active Support Library
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections Drivers
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
IrfanView (remove only)
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
K-Lite Mega Codec Pack 3.9.0
MFM-Garmin 091221
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Virtual PC 2007 SP1
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
MKV Splitter
Mozilla Firefox (3.5.7)
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NAVIGON Fresh 1.6.2
Nokia Connectivity Cable Driver
OCR Software by I.R.I.S. 10.0
OpenVPN 2.1_rc15
Opera 10.00
Paint.NET v3.10
PC Connectivity Solution
PPStream V2.6.86.8989 Final
Prince of Persia T2T
PSSWCORE
QuickTime
Real Alternative 1.9.0 Lite
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Scan
ScreenCam
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype™ 3.6
SmartWebPrintingOC
SMPlayer 0.6.8
Sonic Activation Module
Spybot - Search & Destroy
Status
Subtitle Workshop 2.51
SUPER © Version 2008.bld.30 (Mar 22, 2008)
Synaptics Pointing Device Driver
System Requirements Lab
T-Mobile Web'n'Walk Accelerator
TELL ME MORE
Thief - Deadly Shadows
Toolbox
TrayApp
Tunatic
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb977839)
VC80CRTRedist - 8.0.50727.762
VideoToolkit01
Vista Default Settings
VLC media player 1.0.3
Vodafone Mobile Connect Lite
VoipStunt
VPNTunnel Client
web'n'walk USB manager
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Live installer
Windows Live Messenger
Windows Media Player Firefox Plugin
WinRAR archiver
ZC Video Converter 2.2.2.332
Zip Motion Block Video codec (Remove Only)

==== Event Viewer Messages From Past Week ========

25/01/2010 20:00:23, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.249.116.150 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.249.229.161 (The DHCP Server sent a DHCPNACK message).
25/01/2010 19:59:34, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
25/01/2010 19:52:16, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.249.209.176 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.249.116.149 (The DHCP Server sent a DHCPNACK message).
25/01/2010 19:44:16, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.249.200.77 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.249.209.177 (The DHCP Server sent a DHCPNACK message).
25/01/2010 12:56:08, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
24/01/2010 21:34:49, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.1 with the system having network hardware address 02-50-F3-00-00-00. Network operations on this system may be disrupted as a result.
24/01/2010 21:34:49, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.230.174.151 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.230.75.1 (The DHCP Server sent a DHCPNACK message).
24/01/2010 21:28:44, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP Deskjet F2200 series with shared resource name HP Deskjet F2200 series. Error 2114. The printer cannot be used by others on the network.
24/01/2010 21:25:28, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.
24/01/2010 21:25:28, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
24/01/2010 21:25:28, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
24/01/2010 16:59:48, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.230.25.64 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.230.174.145 (The DHCP Server sent a DHCPNACK message).
24/01/2010 06:14:03, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error: A system shutdown has already been scheduled.
23/01/2010 19:52:33, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.230.223.9 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.230.157.149 (The DHCP Server sent a DHCPNACK message).
22/01/2010 16:57:08, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.230.40.251 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.249.211.106 (The DHCP Server sent a DHCPNACK message).
22/01/2010 13:53:48, Error: EventLog [6008] - The previous system shutdown at 1:51:35 PM on 22/1/2010 was unexpected.
21/01/2010 22:11:35, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.249.138.189 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.230.221.126 (The DHCP Server sent a DHCPNACK message).
21/01/2010 19:08:24, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.249.178.194 for the Network Card with network address 00A0C6000000 has been denied by the DHCP server 10.249.138.190 (The DHCP Server sent a DHCPNACK message).
21/01/2010 19:05:53, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the XAudioService service to connect.
21/01/2010 19:05:53, Error: Service Control Manager [7000] - The XAudioService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
21/01/2010 17:40:24, Error: EventLog [6008] - The previous system shutdown at 5:34:48 PM on 21/1/2010 was unexpected.
21/01/2010 17:31:04, Error: EventLog [6008] - The previous system shutdown at 5:29:06 PM on 21/1/2010 was unexpected.

==== End Of File ===========================
-----------------

GMER.Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-25 21:07:41
Windows 6.0.6002 Service Pack 2
Running: bcm5ijv1.exe; Driver: C:\Users\hp001\AppData\Local\Temp\pglcipog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 855E3841

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA3 0x73 0xDA 0x89 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD6 0x0E 0xAB 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x71 0x65 0x7F 0x7C ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA3 0x73 0xDA 0x89 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD6 0x0E 0xAB 0xF5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x71 0x65 0x7F 0x7C ...

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Quick\{2BC8844E-974E-4C1D-B883-897E3EF073AB} 5778 bytes
File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
scabstermooch
Active Member
 
Posts: 8
Joined: January 12th, 2010, 4:58 am

Re: Redirected Browser and other maladies

Unread postby jmw3 » January 25th, 2010, 4:54 pm

Hi

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

First thing I would like you to do is to turn Word Wrap off in Notepad:
  • Open Notepad then on the Toolbar click Format
  • Make sure Word Wrap is unticked then close Notepad

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Right-click on ComboFix.exe then choose Run as Administrator & follow the prompts
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
ComboFix log
New HijackThis log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirected Browser and other maladies

Unread postby scabstermooch » January 26th, 2010, 3:29 pm

Hello, thanks again for the help.

I would like to preface the logs by stating that I uninstalled uTorrent. However, I also uninstalled Spybot SnD and Avast Antivirus before running combofix and HiJackthis. I did that because despite disabling Avast by Stopping On-Access Protection, Combofix insisted that Avast was still running. I therefore decided to uninstall the two programs. I hope that is not a problem.

This is my Combofix log:

----------
ComboFix 10-01-26.01 - hp001 26/01/2010 19:57:57.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.65.1033.18.2551.1665 [GMT 1:00]
Running from: c:\users\hp001\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3404182026-1933030051-304193984-500
c:\$recycle.bin\S-1-5-21-734471015-3495249972-987241254-500
c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
C:\install.exe
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds

.
((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 19:09 . 2010-01-26 19:10 -------- d-----w- c:\users\hp001\AppData\Local\temp
2010-01-26 19:09 . 2010-01-26 19:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-26 19:09 . 2010-01-26 19:09 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-01-26 19:09 . 2010-01-26 19:09 -------- d-----w- c:\users\Guest Internet\AppData\Local\temp
2010-01-26 16:23 . 2010-01-26 18:14 -------- d-----w- c:\users\Guest Internet\AppData\Roaming\dvdcss
2010-01-26 16:23 . 2010-01-26 18:15 -------- d-----w- c:\users\Guest Internet\AppData\Roaming\vlc
2010-01-22 18:54 . 2010-01-23 23:01 -------- d-----w- c:\users\Guest Internet\AppData\Roaming\skypePM
2010-01-22 18:52 . 2010-01-24 05:15 -------- d-----w- c:\users\Guest Internet\AppData\Roaming\Skype
2010-01-17 11:39 . 2010-01-17 11:39 -------- d-----w- c:\programdata\Vodafone
2010-01-16 23:24 . 2009-06-03 23:56 675152 ----a-w- c:\windows\system32\gpprefcl.dll
2010-01-16 23:20 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-16 23:20 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 23:20 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-01-13 07:08 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-01-13 07:08 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2010-01-12 08:54 . 2010-01-12 08:54 -------- d-----w- c:\program files\Trend Micro
2010-01-11 22:10 . 2010-01-26 18:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-11 22:10 . 2010-01-26 18:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-10 22:21 . 2010-01-10 22:21 -------- d-----w- c:\program files\Enigma Software Group
2010-01-10 21:52 . 2010-01-21 16:49 -------- d-sh--w- c:\users\hp001\.COMMgr
2010-01-05 18:04 . 2010-01-05 18:04 -------- d-----w- c:\users\hp001\AppData\Local\SRS Labs
2010-01-05 18:04 . 2010-01-05 18:04 -------- d-----w- c:\programdata\SRS Labs
2010-01-05 18:04 . 2007-07-26 01:25 39808 ----a-w- c:\windows\system32\drivers\SRS_SSCFilter_i386.sys
2010-01-05 18:04 . 2007-07-26 01:25 42112 ----a-w- c:\windows\system32\drivers\csiidecoder_kern_i386.sys
2010-01-05 18:04 . 2007-07-26 01:25 47360 ----a-w- c:\windows\system32\drivers\Surroundhp_kern_i386.sys
2010-01-05 18:04 . 2007-07-26 01:25 47104 ----a-w- c:\windows\system32\drivers\tshd4_kern_i386.sys
2010-01-05 18:04 . 2007-07-26 01:25 32000 ----a-w- c:\windows\system32\drivers\wowhd_kern_i386.sys
2009-12-31 13:27 . 2009-12-31 13:37 -------- d-----w- c:\users\hp001\AppData\Roaming\ppstream
2009-12-31 13:27 . 2009-12-31 13:33 -------- d-----w- c:\program files\PPStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 18:42 . 2006-11-09 21:07 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-25 22:17 . 2007-10-19 20:25 -------- d-----w- c:\users\hp001\AppData\Roaming\uTorrent
2010-01-22 15:03 . 2008-04-18 10:03 -------- d-----w- c:\users\hp001\AppData\Roaming\skypePM
2010-01-22 14:22 . 2008-04-18 10:01 -------- d-----w- c:\users\hp001\AppData\Roaming\Skype
2010-01-22 12:53 . 2008-05-21 05:03 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-18 16:48 . 2009-12-19 10:55 -------- d-----w- c:\users\hp001\AppData\Roaming\vlc
2010-01-17 12:42 . 2009-06-05 18:10 -------- d-----w- c:\users\hp001\AppData\Roaming\dvdcss
2010-01-16 23:31 . 2007-05-31 16:59 -------- d-----w- c:\programdata\Microsoft Help
2010-01-16 23:28 . 2007-05-31 16:23 -------- d-----w- c:\program files\CONEXANT
2010-01-16 23:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-14 18:07 . 2007-05-31 16:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-14 17:46 . 2007-05-31 16:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 10:12 . 2009-10-03 00:10 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 08:21 . 2009-12-15 04:49 -------- d-----w- c:\program files\SlySoft
2010-01-07 04:29 . 2009-01-09 20:35 680 ----a-w- c:\users\hp001\AppData\Local\d3d9caps.dat
2009-12-27 14:14 . 2009-12-27 14:14 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-12-27 14:02 . 2009-12-27 14:02 -------- d-----w- c:\programdata\GARMIN
2009-12-27 01:33 . 2009-10-17 14:33 -------- d-----w- c:\users\hp001\AppData\Roaming\GARMIN
2009-12-27 01:19 . 2007-10-14 01:22 -------- d-----w- c:\program files\DIFX
2009-12-27 01:18 . 2009-12-27 01:18 -------- d-----w- c:\program files\Garmin
2009-12-25 10:59 . 2009-12-25 10:59 -------- d-----w- c:\program files\SMPlayer
2009-12-25 01:05 . 2007-10-13 14:10 -------- d-----w- c:\program files\Google
2009-12-21 16:13 . 2009-12-21 16:13 -------- d-----w- c:\program files\Windows Live
2009-12-21 16:13 . 2009-12-21 16:13 -------- d-----w- c:\programdata\WindowsLiveInstaller
2009-12-21 16:13 . 2009-12-21 16:13 -------- d-----w- c:\programdata\WLInstaller
2009-12-21 16:05 . 2009-12-21 16:05 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-19 10:55 . 2009-12-19 10:55 -------- d-----w- c:\program files\VideoLAN
2009-12-15 17:37 . 2009-12-15 17:37 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-15 17:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-15 17:36 . 2009-12-15 17:36 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-12-15 17:35 . 2009-12-15 17:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-15 04:55 . 2009-12-15 04:55 -------- d-----w- c:\programdata\SlySoft
2009-11-21 06:40 . 2009-12-15 17:19 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-15 17:19 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-15 17:19 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-15 17:19 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 12:31 . 2009-12-15 17:25 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-15 17:25 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-15 17:25 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-05 04:26 . 2009-12-27 12:22 11221864 ----a-w- c:\users\hp001\AppData\Roaming\Mozilla\Firefox\Profiles\f3t99l33.Lee\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
2009-11-02 19:10 . 2008-10-19 16:34 101480 ----a-w- c:\users\Guest Internet\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-29 09:17 . 2009-12-15 17:32 2048 ----a-w- c:\windows\system32\tzres.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 10:06 . 2008-05-18 20:32 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2008-05-18 20:32 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 . 2008-05-18 20:32 27648 --sh--w- c:\windows\System32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-05-17 5729136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{2E9D28CD-006A-4969-AB92-63DD74B4CA59}"="c:\program files\T-Mobile\Web'n'Walk Accelerator\bmoc -d" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-04-12 163840]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-09-06 184320]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-13 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-13 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-13 129560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-04-20 2327552]

c:\users\hp001\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
GB-PVR Tray.lnk - c:\program files\Devnz\GBPVR\GBPVRTray.exe [2008-11-2 110592]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-17 113664]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-10-13 184320]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
WinManager.lnk - c:\program files\PC-TV\WinManager\WinManager.exe [2008-11-23 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-03-07 19:15 50696 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):72,28,55,df,50,e8,c9,01

R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [20/04/2009 17:20 9216]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 15:40 3668480]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\System32\drivers\ZTEusbnet.sys [13/08/2009 16:54 110592]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\System32\drivers\zteusbvoice.sys [13/08/2009 16:54 105344]
S2 gupdate1c9a03e2e8e1de0;Google Update Service (gupdate1c9a03e2e8e1de0);c:\program files\Google\Update\GoogleUpdate.exe [08/03/2009 23:35 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [28/05/2008 20:01 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\System32\drivers\massfilter.sys [09/04/2009 13:38 7680]
S3 tiltmouse;Paten HID USB Filter Driver1;c:\windows\System32\drivers\MUsbFltr.sys [24/03/2008 15:33 9600]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [23/03/2008 20:39 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 22:35]

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 22:35]

2010-01-26 c:\windows\Tasks\User_Feed_Synchronization-{8F5574C4-D5CA-4D87-BC75-D228C92DE391}.job
- c:\windows\system32\msfeedssync.exe [2009-12-15 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyServer = proxy.singnet.com.sg:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
FF - ProfilePath - c:\users\hp001\AppData\Roaming\Mozilla\Firefox\Profiles\f3t99l33.Lee\
FF - prefs.js: browser.search.selectedEngine - Amazon.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\NPSWF32.dll
FF - plugin: c:\users\hp001\AppData\Roaming\Mozilla\Firefox\Profiles\f3t99l33.Lee\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
HKCU-Run-SRS Audio Sandbox - c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe
HKLM-Run-MCE CI Console - c:\program files\MCECIConsole\MCECIConsole.exe
MSConfigStartUp-Google Update - c:\users\hp001\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-QvodPlayer - c:\program files\QvodPlayer\QvodPlayer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 20:10
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x855E5841]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x897abd24
\Driver\ACPI -> acpi.sys @ 0x82c9cd68
\Driver\atapi -> ataport.SYS @ 0x82de5a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-26 20:16:01
ComboFix-quarantined-files.txt 2010-01-26 19:15

Pre-Run: 15,436,115,968 bytes free
Post-Run: 15,681,564,672 bytes free

- - End Of File - - ADD7FB22211C81C8CFD7A5AD46B1469D
-----------------

This is my HijackThis Log

-------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:19:45, on 26/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PC-TV\WinManager\WinManager.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\WerCon.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [{2E9D28CD-006A-4969-AB92-63DD74B4CA59}] "C:\Program Files\T-Mobile\Web'n'Walk Accelerator\bmoc" -d
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: GB-PVR Tray.lnk = C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\Windows\system32\bmwebcfg.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
O23 - Service: Google Update Service (gupdate1c9a03e2e8e1de0) (gupdate1c9a03e2e8e1de0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7958 bytes

--------------------------


In terms of how the computer is running, I noticed, upon reconnecting to the internet that Firefox is no longer the default browser. However, upon surfing the net, it was not long before a new, unsolicited window opened by itself.

Thanks again.
scabstermooch
Active Member
 
Posts: 8
Joined: January 12th, 2010, 4:58 am

Re: Redirected Browser and other maladies

Unread postby jmw3 » January 26th, 2010, 7:37 pm

Hi
I also uninstalled Spybot SnD and Avast Antivirus before running combofix and HiJackthis.
That's fine.

I noticed, upon reconnecting to the internet that Firefox is no longer the default browser.
ComboFix resets a lot of Windows settings back to default. That would be the reason Firefox is no longer the default browser. Change it back if you want, however we will be running ComboFix once more.

TDSSKiller
Download TDSSKiller.zip by Kaspersky Lab from Here & save it to your desktop.
  • Extract (unzip) its contents to your Desktop
  • Double-click the TDSSKiller Folder on your desktop
  • Right-click on TDSSKiller.exe then click Copy then Paste it directly to your Desktop <<--- Important!
  • Highlight then copy all the text (including the quote marks) in the box below
Code: Select all
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"

  • Click Start >> Run. Paste the (above) copied text, into the opened text box then click OK
TDSSKiller will prompt to reboot the PC, to complete the disinfection procedure, if malicious files or services were found
Please reboot if prompted.
After reboot, TDSSKiller will delete malicious registry keys and files, as well as remove itself from the services list.
When finished a log fileshould be created on your desktop named tdsskiller.txt. Copy the contents of the log & post in your next reply.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Folder::
c:\users\hp001\AppData\Roaming\uTorrent
DDS::
uStart Page = about:blank
uInternet Settings,ProxyServer = proxy.singnet.com.sg:8080
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
TDSSKiller log
ComboFix log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirected Browser and other maladies

Unread postby scabstermooch » January 27th, 2010, 3:48 pm

Hello, thanks for the swift reply. I followed the steps as directed about 3 hours ago, and I have been able to surf the net without problems thus far. These are the Logs.

---------------------------------------------------------------------------------

Tdskiller:

16:06:49:939 5540 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:06:49:939 5540 ================================================================================
16:06:49:939 5540 SystemInfo:

16:06:49:939 5540 OS Version: 6.0.6002 ServicePack: 2.0
16:06:49:939 5540 Product type: Workstation
16:06:49:939 5540 ComputerName: HP001-PC
16:06:49:939 5540 UserName: hp001
16:06:49:939 5540 Windows directory: C:\Windows
16:06:49:939 5540 Processor architecture: Intel x86
16:06:49:939 5540 Number of processors: 2
16:06:49:939 5540 Page size: 0x1000
16:06:49:939 5540 Boot type: Normal boot
16:06:49:939 5540 ================================================================================
16:06:49:939 5540 UnloadDriverW: NtUnloadDriver error 2
16:06:49:939 5540 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:06:49:939 5540 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:06:50:064 5540 UtilityInit: KLMD drop and load success
16:06:50:064 5540 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:06:50:064 5540 UtilityInit: KLMD open success
16:06:50:064 5540 UtilityInit: Initialize success
16:06:50:064 5540
16:06:50:064 5540 Scanning Services ...
16:06:50:064 5540 CreateRegParser: Registry parser init started
16:06:50:064 5540 CreateRegParser: DisableWow64Redirection error
16:06:50:064 5540 wfopen_ex: Trying to open file C:\Windows\system32\config\system
16:06:50:064 5540 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
16:06:50:064 5540 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:06:50:064 5540 wfopen_ex: Trying to KLMD file open
16:06:50:064 5540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
16:06:50:064 5540 wfopen_ex: File opened ok (Flags 2)
16:06:50:079 5540 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 19E1368
16:06:50:079 5540 wfopen_ex: Trying to open file C:\Windows\system32\config\software
16:06:50:079 5540 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
16:06:50:079 5540 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:06:50:079 5540 wfopen_ex: Trying to KLMD file open
16:06:50:079 5540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
16:06:50:079 5540 wfopen_ex: File opened ok (Flags 2)
16:06:50:079 5540 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 19E1390
16:06:50:079 5540 CreateRegParser: EnableWow64Redirection error
16:06:50:079 5540 CreateRegParser: RegParser init completed
16:06:51:780 5540 GetAdvancedServicesInfo: Raw services enum returned 484 services
16:06:51:780 5540 fclose_ex: Trying to close file C:\Windows\system32\config\system
16:06:51:780 5540 fclose_ex: Trying to close file C:\Windows\system32\config\software
16:06:51:780 5540
16:06:51:780 5540 Scanning Kernel memory ...
16:06:51:780 5540 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:06:51:780 5540 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 857AC268
16:06:51:780 5540 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
16:06:51:780 5540
16:06:51:780 5540 DetectCureTDL3: DEVICE_OBJECT: 88431AC8
16:06:51:780 5540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88431AC8
16:06:51:780 5540 DetectCureTDL3: DEVICE_OBJECT: 8838F900
16:06:51:780 5540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8838F900
16:06:51:780 5540 KLMD_ReadMem: Trying to ReadMemory 0x8838F900[0x38]
16:06:51:780 5540 DetectCureTDL3: DRIVER_OBJECT: 88420C50
16:06:51:780 5540 KLMD_ReadMem: Trying to ReadMemory 0x88420C50[0xA8]
16:06:51:780 5540 KLMD_ReadMem: Trying to ReadMemory 0x8841C2C0[0x1E]
16:06:51:780 5540 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
16:06:51:780 5540 DetectCureTDL3: IrpHandler (0) addr: 81016FC8
16:06:51:780 5540 DetectCureTDL3: IrpHandler (1) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (2) addr: 81017040
16:06:51:780 5540 DetectCureTDL3: IrpHandler (3) addr: 810170B8
16:06:51:780 5540 DetectCureTDL3: IrpHandler (4) addr: 810170B8
16:06:51:780 5540 DetectCureTDL3: IrpHandler (5) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (6) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (7) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (8) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (9) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (10) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (11) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (12) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (13) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (14) addr: 81016BC4
16:06:51:780 5540 DetectCureTDL3: IrpHandler (15) addr: 8100A7E4
16:06:51:780 5540 DetectCureTDL3: IrpHandler (16) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (17) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (18) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (19) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (20) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (21) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (22) addr: 8101559C
16:06:51:780 5540 DetectCureTDL3: IrpHandler (23) addr: 810127A2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (24) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (25) addr: 822319D2
16:06:51:780 5540 DetectCureTDL3: IrpHandler (26) addr: 822319D2
16:06:51:780 5540 KLMD_ReadMem: Trying to ReadMemory 0x8100CF26[0x400]
16:06:51:780 5540 TDL3_StartIoHookDetect: CheckParameters: 4, 81011000, 0
16:06:51:780 5540 TDL3_FileDetect: Processing driver: USBSTOR
16:06:51:780 5540 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:06:51:780 5540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:06:51:795 5540 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
16:06:51:795 5540
16:06:51:795 5540 DetectCureTDL3: DEVICE_OBJECT: 8571FAC8
16:06:51:795 5540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8571FAC8
16:06:51:795 5540 DetectCureTDL3: DEVICE_OBJECT: 8558F390
16:06:51:795 5540 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8558F390
16:06:51:795 5540 KLMD_ReadMem: Trying to ReadMemory 0x8558F390[0x38]
16:06:51:795 5540 DetectCureTDL3: DRIVER_OBJECT: 86422BA0
16:06:51:795 5540 KLMD_ReadMem: Trying to ReadMemory 0x86422BA0[0xA8]
16:06:51:795 5540 KLMD_ReadMem: Trying to ReadMemory 0x855CB028[0x38]
16:06:51:795 5540 KLMD_ReadMem: Trying to ReadMemory 0x8558AF10[0xA8]
16:06:51:795 5540 KLMD_ReadMem: Trying to ReadMemory 0x8558AEC0[0x1A]
16:06:51:795 5540 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:06:51:795 5540 DetectCureTDL3: IrpHandler (0) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (1) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (2) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (3) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (4) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (5) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (6) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (7) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (8) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (9) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (10) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (11) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (12) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (13) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (14) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (15) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (16) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (17) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (18) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (19) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (20) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (21) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (22) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (23) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (24) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (25) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: IrpHandler (26) addr: 855F1841
16:06:51:795 5540 DetectCureTDL3: All IRP handlers pointed to one addr: 855F1841
16:06:51:795 5540 KLMD_ReadMem: Trying to ReadMemory 0x855F1841[0x400]
16:06:51:795 5540 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
16:06:51:795 5540 Driver "atapi" Irp handler infected by TDSS rootkit ... 16:06:51:811 5540 KLMD_WriteMem: Trying to WriteMemory 0x855F18BA[0xD]
16:06:51:811 5540 cured
16:06:51:811 5540 KLMD_ReadMem: Trying to ReadMemory 0x855F16EC[0x400]
16:06:51:811 5540 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
16:06:51:811 5540 Driver "atapi" StartIo handler infected by TDSS rootkit ... 16:06:51:811 5540 TDL3_StartIoHookCure: Number of patches 1
16:06:51:811 5540 KLMD_WriteMem: Trying to WriteMemory 0x855F17F5[0x6]
16:06:51:811 5540 cured
16:06:51:811 5540 TDL3_FileDetect: Processing driver: atapi
16:06:51:811 5540 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
16:06:51:811 5540 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
16:06:51:811 5540 TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected
16:06:51:811 5540 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 16:06:51:811 5540 TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
16:06:53:792 5540 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys:19944, checking..
16:06:53:808 5540 ValidateDriverFile: Stage 1 passed
16:06:53:808 5540 ValidateDriverFile: Stage 2 passed
16:06:53:933 5540 DigitalSignVerifyByHandle: Embedded DS result: 00000000
16:06:53:933 5540 ValidateDriverFile: Stage 3 passed
16:06:53:933 5540 FileCallback: File validated successfully, restore information prepared
16:06:56:725 5540 FindDriverFileBackup: Backup copy found in DriverStore
16:06:56:725 5540 TDL3_FileCure: Backup copy found, using it..
16:06:56:725 5540 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskFAA.tmp
16:06:56:928 5540 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskFAA.tmp, system32\drivers\atapi.sys)
16:06:56:928 5540 TDL3_FileCure: KLMD jobs schedule success
16:06:56:928 5540 will be cured on next reboot
16:06:56:928 5540 UtilityBootReinit: Reboot required for cure complete..
16:06:56:928 5540 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
16:06:56:943 5540 UtilityBootReinit: KLMD drop success
16:06:56:943 5540 KLMD_ApplyPendList: Pending buffer(1C47_5D97, 608) dropped successfully
16:06:56:943 5540 UtilityBootReinit: Cure on reboot scheduled successfully
16:06:56:943 5540
16:06:56:943 5540 Completed
16:06:56:943 5540
16:06:56:943 5540 Results:
16:06:56:943 5540 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
16:06:56:943 5540 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:06:56:943 5540 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:06:56:943 5540
16:06:56:943 5540 UnloadDriverW: NtUnloadDriver error 1
16:06:56:943 5540 KLMD_Unload: UnloadDriverW(klmd21) error 1
16:06:56:943 5540 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:06:56:943 5540 UtilityDeinit: KLMD(ARK) unloaded successfully

---------------------------------------------------------------------------------------

Combofix:

ComboFix 10-01-26.01 - hp001 27/01/2010 16:15:06.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.65.1033.18.2551.1652 [GMT 1:00]
Running from: c:\users\hp001\Desktop\ComboFix.exe
Command switches used :: c:\users\hp001\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\hp001\AppData\Roaming\uTorrent
c:\users\hp001\AppData\Roaming\uTorrent\Demonic Confidence and Super Confidence by Archer Sloan.torrent
c:\users\hp001\AppData\Roaming\uTorrent\MapSource_6137.exe.torrent

.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-27 15:23 . 2010-01-27 15:23 -------- d-----w- c:\users\hp001\AppData\Local\temp
2010-01-27 15:23 . 2010-01-27 15:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-27 15:23 . 2010-01-27 15:23 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-01-27 15:23 . 2010-01-27 15:23 -------- d-----w- c:\users\Guest Internet\AppData\Local\temp
2010-01-27 15:23 . 2010-01-27 15:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-26 16:23 . 2010-01-26 18:14 -------- d-----w- c:\users\Guest Internet\AppData\Roaming\dvdcss
2010-01-26 16:23 . 2010-01-26 18:15 -------- d-----w- c:\users\Guest Internet\AppData\Roaming\vlc
2010-01-22 18:54 . 2010-01-23 23:01 -------- d-----w- c:\users\Guest Internet\AppData\Roaming\skypePM
2010-01-22 18:52 . 2010-01-24 05:15 -------- d-----w- c:\users\Guest Internet\AppData\Roaming\Skype
2010-01-17 11:39 . 2010-01-17 11:39 -------- d-----w- c:\programdata\Vodafone
2010-01-16 23:24 . 2009-06-03 23:56 675152 ----a-w- c:\windows\system32\gpprefcl.dll
2010-01-16 23:20 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-16 23:20 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 23:20 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-01-13 07:08 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-01-13 07:08 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2010-01-12 08:54 . 2010-01-12 08:54 -------- d-----w- c:\program files\Trend Micro
2010-01-11 22:10 . 2010-01-26 18:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-11 22:10 . 2010-01-26 18:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-10 22:21 . 2010-01-10 22:21 -------- d-----w- c:\program files\Enigma Software Group
2010-01-10 21:52 . 2010-01-21 16:49 -------- d-sh--w- c:\users\hp001\.COMMgr
2010-01-05 18:04 . 2010-01-05 18:04 -------- d-----w- c:\users\hp001\AppData\Local\SRS Labs
2010-01-05 18:04 . 2010-01-05 18:04 -------- d-----w- c:\programdata\SRS Labs
2010-01-05 18:04 . 2007-07-26 01:25 39808 ----a-w- c:\windows\system32\drivers\SRS_SSCFilter_i386.sys
2010-01-05 18:04 . 2007-07-26 01:25 42112 ----a-w- c:\windows\system32\drivers\csiidecoder_kern_i386.sys
2010-01-05 18:04 . 2007-07-26 01:25 47360 ----a-w- c:\windows\system32\drivers\Surroundhp_kern_i386.sys
2010-01-05 18:04 . 2007-07-26 01:25 47104 ----a-w- c:\windows\system32\drivers\tshd4_kern_i386.sys
2010-01-05 18:04 . 2007-07-26 01:25 32000 ----a-w- c:\windows\system32\drivers\wowhd_kern_i386.sys
2009-12-31 13:27 . 2009-12-31 13:37 -------- d-----w- c:\users\hp001\AppData\Roaming\ppstream
2009-12-31 13:27 . 2009-12-31 13:33 -------- d-----w- c:\program files\PPStream

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 15:08 . 2009-06-08 15:23 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-27 15:07 . 2006-11-09 21:07 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-27 15:04 . 2009-12-19 10:55 -------- d-----w- c:\users\hp001\AppData\Roaming\vlc
2010-01-22 15:03 . 2008-04-18 10:03 -------- d-----w- c:\users\hp001\AppData\Roaming\skypePM
2010-01-22 14:22 . 2008-04-18 10:01 -------- d-----w- c:\users\hp001\AppData\Roaming\Skype
2010-01-22 12:53 . 2008-05-21 05:03 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 12:42 . 2009-06-05 18:10 -------- d-----w- c:\users\hp001\AppData\Roaming\dvdcss
2010-01-16 23:31 . 2007-05-31 16:59 -------- d-----w- c:\programdata\Microsoft Help
2010-01-16 23:28 . 2007-05-31 16:23 -------- d-----w- c:\program files\CONEXANT
2010-01-16 23:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-14 18:07 . 2007-05-31 16:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-14 17:46 . 2007-05-31 16:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 10:12 . 2009-10-03 00:10 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 08:21 . 2009-12-15 04:49 -------- d-----w- c:\program files\SlySoft
2010-01-07 04:29 . 2009-01-09 20:35 680 ----a-w- c:\users\hp001\AppData\Local\d3d9caps.dat
2009-12-27 14:14 . 2009-12-27 14:14 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-12-27 14:02 . 2009-12-27 14:02 -------- d-----w- c:\programdata\GARMIN
2009-12-27 01:33 . 2009-10-17 14:33 -------- d-----w- c:\users\hp001\AppData\Roaming\GARMIN
2009-12-27 01:19 . 2007-10-14 01:22 -------- d-----w- c:\program files\DIFX
2009-12-27 01:18 . 2009-12-27 01:18 -------- d-----w- c:\program files\Garmin
2009-12-25 10:59 . 2009-12-25 10:59 -------- d-----w- c:\program files\SMPlayer
2009-12-25 01:05 . 2007-10-13 14:10 -------- d-----w- c:\program files\Google
2009-12-21 16:13 . 2009-12-21 16:13 -------- d-----w- c:\program files\Windows Live
2009-12-21 16:13 . 2009-12-21 16:13 -------- d-----w- c:\programdata\WindowsLiveInstaller
2009-12-21 16:13 . 2009-12-21 16:13 -------- d-----w- c:\programdata\WLInstaller
2009-12-21 16:05 . 2009-12-21 16:05 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-19 10:55 . 2009-12-19 10:55 -------- d-----w- c:\program files\VideoLAN
2009-12-15 17:37 . 2009-12-15 17:37 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-15 17:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-15 17:36 . 2009-12-15 17:36 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-12-15 17:35 . 2009-12-15 17:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-15 04:55 . 2009-12-15 04:55 -------- d-----w- c:\programdata\SlySoft
2009-11-21 06:40 . 2009-12-15 17:19 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-15 17:19 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-15 17:19 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-15 17:19 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 12:31 . 2009-12-15 17:25 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-15 17:25 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-15 17:25 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-05 04:26 . 2009-12-27 12:22 11221864 ----a-w- c:\users\hp001\AppData\Roaming\Mozilla\Firefox\Profiles\f3t99l33.Lee\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
2009-11-02 19:10 . 2008-10-19 16:34 101480 ----a-w- c:\users\Guest Internet\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 10:06 . 2008-05-18 20:32 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2008-05-18 20:32 31232 --sh--r- c:\windows\System32\msfDX.dll
2007-12-17 13:43 . 2008-05-18 20:32 27648 --sh--w- c:\windows\System32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-05-17 5729136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{2E9D28CD-006A-4969-AB92-63DD74B4CA59}"="c:\program files\T-Mobile\Web'n'Walk Accelerator\bmoc -d" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-04-12 163840]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-09-06 184320]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-13 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-13 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-13 129560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-04-20 2327552]

c:\users\hp001\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
GB-PVR Tray.lnk - c:\program files\Devnz\GBPVR\GBPVRTray.exe [2008-11-2 110592]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-17 113664]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-10-13 184320]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
WinManager.lnk - c:\program files\PC-TV\WinManager\WinManager.exe [2008-11-23 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-03-07 19:15 50696 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):72,28,55,df,50,e8,c9,01

R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [20/04/2009 17:20 9216]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 15:40 3668480]
R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\System32\drivers\ZTEusbnet.sys [13/08/2009 16:54 110592]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\System32\drivers\zteusbvoice.sys [13/08/2009 16:54 105344]
S2 gupdate1c9a03e2e8e1de0;Google Update Service (gupdate1c9a03e2e8e1de0);c:\program files\Google\Update\GoogleUpdate.exe [08/03/2009 23:35 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [28/05/2008 20:01 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\System32\drivers\massfilter.sys [09/04/2009 13:38 7680]
S3 tiltmouse;Paten HID USB Filter Driver1;c:\windows\System32\drivers\MUsbFltr.sys [24/03/2008 15:33 9600]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [23/03/2008 20:39 717296]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 22:35]

2010-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 22:35]

2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{8F5574C4-D5CA-4D87-BC75-D228C92DE391}.job
- c:\windows\system32\msfeedssync.exe [2009-12-15 04:59]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
FF - ProfilePath - c:\users\hp001\AppData\Roaming\Mozilla\Firefox\Profiles\f3t99l33.Lee\
FF - prefs.js: browser.search.selectedEngine - Amazon.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\NPSWF32.dll
FF - plugin: c:\users\hp001\AppData\Roaming\Mozilla\Firefox\Profiles\f3t99l33.Lee\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 16:23
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-27 16:26:50
ComboFix-quarantined-files.txt 2010-01-27 15:26
ComboFix2.txt 2010-01-26 19:16

Pre-Run: 15,772,655,616 bytes free
Post-Run: 15,736,213,504 bytes free

- - End Of File - - 37148EBF4B614DB67499A403C9CFB137
scabstermooch
Active Member
 
Posts: 8
Joined: January 12th, 2010, 4:58 am

Re: Redirected Browser and other maladies

Unread postby jmw3 » January 27th, 2010, 8:51 pm

Hi

Good to hear things are looking better. We'll just check for any leftovers.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply
Pictured tutorial if required.

To post in next reply:
Kaspersky Online Scan log
New HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirected Browser and other maladies

Unread postby scabstermooch » January 29th, 2010, 6:19 pm

Hello. Thanks again.

This is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:15:57, on 29/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [{2E9D28CD-006A-4969-AB92-63DD74B4CA59}] "C:\Program Files\T-Mobile\Web'n'Walk Accelerator\bmoc" -d
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: GB-PVR Tray.lnk = C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinManager.lnk = C:\Program Files\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\Windows\system32\bmwebcfg.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
O23 - Service: Google Update Service (gupdate1c9a03e2e8e1de0) (gupdate1c9a03e2e8e1de0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7668 bytes


This is the Kaspersky Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, January 29, 2010
Operating system: Microsoft Windows Vista Business Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, January 28, 2010 20:20:18
Records in database: 3381907
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\

Scan statistics:
Objects scanned: 205662
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 03:36:07


File name / Threat / Threats count
C:\Users\hp001\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\6b7a389a-58306d43 Infected: Trojan-Downloader.Java.Agent.am 1

Selected area has been scanned.

----

Kaspersky detected a problem as far as I can tell.

Once again, thanks. I haven't experienced any browser redirects or crashing yet.

Regards,

SM
scabstermooch
Active Member
 
Posts: 8
Joined: January 12th, 2010, 4:58 am

Re: Redirected Browser and other maladies

Unread postby jmw3 » January 29th, 2010, 7:25 pm

Hi

Clean Out The Java Cache
  • Click Start>Control Panel then click the Java icon to open the Java Control Panel
  • Click the General tab
  • Under Temporary Internet Files click Settings
  • Click Delete Files...
  • Click OK twice to exit the Java Control panel
DeFogger
To re-enable your Emulation drivers, right click DeFogger then choose Run as Administrator to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
Your Emulation drivers are now re-enabled.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
DDS.scr
The Gmer.exe file (it will be randomly named .exe file)
DeFogger
TDSSKiller
Any logs that may have been saved to your desktop

You can remove the Kaspersky Online Scanner. This can be done via Add or Remove Programs
You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis
  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt
You can re-enable both Spybot's TeaTimer & Windows Defender now if you like.

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here & find a tutorial here. Keep it updated & run it regularly.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Web of Trust
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and Internet Explorer.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirected Browser and other maladies

Unread postby scabstermooch » January 29th, 2010, 9:03 pm

Thanks for the help. A donation is incoming. :cheers:
scabstermooch
Active Member
 
Posts: 8
Joined: January 12th, 2010, 4:58 am

Re: Redirected Browser and other maladies

Unread postby jmw3 » January 29th, 2010, 10:02 pm

No problem at all... Glad I could help.

Good Luck & Surf Safe
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirected Browser and other maladies

Unread postby jmw3 » January 30th, 2010, 7:57 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware