IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

ie8 redirecting to random pages

2230 Views 13 Replies 2 Participants Last post by RPMcMurphy, Nov 16, 2010

jmcinwpg

Discussion Starter · Nov 10, 2010

Hi, I hope you can help me!

Janice

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:16:10 PM, on 10/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Global Payments\VPNClient\cvpnd.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Apps\Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ricky\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/small...en&client=dell-row&channel=ca-smb&ibd=6080807
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum

n /alerts

n /systrayIcon

n
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [AllToTray] C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
O4 - Global Startup: Global Payments Inc. GPN VPN Client.lnk = C:\Program Files\Global Payments\VPNClient\vpngui.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Apps\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.facebook.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} (CopyGuardCtrl Class) - http://www.psapoll.com/CopyGuardIE.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - http://192.168.200.1/MLWebCacheCleaner.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6162/mcfscan.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CCD2F6D-232C-46A0-8A67-DC59778AAC66}: NameServer = 192.168.0.1,205.200.16.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{8CCD2F6D-232C-46A0-8A67-DC59778AAC66}: NameServer = 192.168.0.1,205.200.16.65
O17 - HKLM\System\CS2\Services\Tcpip\..\{8CCD2F6D-232C-46A0-8A67-DC59778AAC66}: NameServer = 192.168.0.1,205.200.16.65
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Global Payments\VPNClient\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 12758 bytes

DDS (Ver_09-09-29.01) - NTFSx86
Run by ricky at 12:32:07.95 on 10/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2041 [GMT -6:00]
AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Global Payments\VPNClient\cvpnd.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Apps\Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ricky\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Documents and Settings\ricky\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [AllToTray] c:\progra~1\alltot~1\ALLTOT~1.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum

n /alerts

n /systrayIcon

n
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\global~1.lnk - c:\program files\global payments\vpnclient\vpngui.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\apps\micros~1\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: facebook.com\www
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxp://192.168.200.1/MLWebCacheCleaner.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6162/mcfscan.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
TCP: {8CCD2F6D-232C-46A0-8A67-DC59778AAC66} = 192.168.0.1,205.200.16.65
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ricky\applic~1\mozilla\firefox\profiles\ggym59vh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\ricky\application data\mozilla\firefox\profiles\ggym59vh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\ricky\application data\mozilla\firefox\profiles\ggym59vh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\ricky\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\apps\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\apps\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\apps\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\apps\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\apps\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\apps\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\apps\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\apps\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\apps\firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\apps\firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\apps\firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\apps\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\apps\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\apps\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\apps\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\apps\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\apps\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\apps\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\apps\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\apps\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\apps\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\apps\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\apps\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\apps\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\apps\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\apps\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\apps\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\apps\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\apps\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\apps\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\apps\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\apps\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\apps\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\apps\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\apps\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\apps\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\apps\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\apps\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\apps\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\apps\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\apps\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\apps\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\apps\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\apps\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\apps\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\apps\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\apps\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-8-6 8960]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-8-6 11264]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-9-23 38224]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-8-6 16640]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-7 189792]
=============== Created Last 30 ================
2010-11-10 11:38 --d----- c:\windows\McAfee.com
2010-11-10 09:57 --d----- c:\program files\Sophos
2010-11-10 08:17 12,477 a------- c:\windows\system32\234.js
2010-10-15 06:59 --d----- c:\docume~1\ricky\applic~1\AVG10
2010-10-14 15:32 --d-h--- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-14 15:31 --d----- c:\windows\system32\drivers\AVG
2010-10-14 15:31 --d----- c:\docume~1\alluse~1\applic~1\AVG10
2010-10-14 07:01 --d----- c:\docume~1\alluse~1\applic~1\MFAData
==================== Find3M ====================
2010-09-13 15:27 25,680 a------- c:\windows\system32\drivers\AVGIDSEH.sys
2010-08-17 07:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-08-17 07:17 58,880 a------- c:\windows\system32\dllcache\spoolsv.exe
2010-05-24 14:51 540,920 a------- c:\docume~1\ricky\applic~1\GDIPFONTCACHEV1.DAT
2009-07-13 13:33 34 a------- c:\documents and settings\ricky\jagex_runescape_preferences.dat
============= FINISH: 12:33:07.03 ===============

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-10 12:51:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3500620AS rev.DE12
Running: 85s6k0z9.exe; Driver: C:\DOCUME~1\ricky\LOCALS~1\Temp\pxtdqpob.sys

---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB93956C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB9395770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB9395810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB93958B0]
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB829F000, 0x1A3F84, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[260] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[260] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[260] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DD000C
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01209315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 012DDBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 012DDD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 012E4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01241CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 013FE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 013FDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 013FDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 013FDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 013FDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 013FE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 013FDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 012E488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 032C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[456] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 032D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[456] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 032B000C
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01209315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 012DDBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 012DDD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 012E4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01241CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 013FE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 013FDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 013FDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 013FDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 013FDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 013FE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 013FDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[456] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 012E488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2576] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F9000A
.text C:\WINDOWS\Explorer.EXE[2576] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FA000A
.text C:\WINDOWS\Explorer.EXE[2576] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F8000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01209315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 012E4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 013FE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 013FDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 013FDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 013FDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 013FDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 013FE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2612] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 013FDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[3372] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E0000A
.text C:\WINDOWS\System32\svchost.exe[3372] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E1000A
.text C:\WINDOWS\System32\svchost.exe[3372] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DF000C
.text C:\WINDOWS\System32\svchost.exe[3372] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0089000A
.text C:\WINDOWS\System32\svchost.exe[3372] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00ED000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DD000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01209315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 012DDBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 012DDD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 012E4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01241CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 013FE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 013FDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 013FDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 013FDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 013FDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 013FE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 013FDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4800] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 012E488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Apps\Firefox\firefox.exe[5140] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0173000A
.text C:\Apps\Firefox\firefox.exe[5140] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0174000A
.text C:\Apps\Firefox\firefox.exe[5140] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0172000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AD04292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AD04292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8AD04292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8AD04292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8AD04292
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3500620AS_____________________________DE12____#5&1ab7cbc9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 976772912 (+255): rootkit-like behavior;
---- EOF - GMER 1.0.15 ----

See less See more

Save

Status: Not open for further replies.

1 - 14 of 14 Posts

RPMcMurphy

· #2 · Nov 10, 2010

Hello and welcome to Tech Support Guy. Please follow these guidelines while we work on your PC:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Ive given you the All clear. Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Any underlined text in my posts indicates a clickable link.
If you have any questions at all, please stop and ask before proceeding.
I remove threads from my subscription list after 5 days of inactivity. If you will not be able to respond to a post within 5 days, please let me know in advance.

P2P - I see you have P2P software (BitTorrent and Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at TSG are complete.

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Add/Remove Programs or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.

Double click to run AppRemover
Follow the prompts to remove AVG
Reboot

Once you've removed AVG with this tool please continue with these instructions

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

ComboFix log

See less See more

Save

jmcinwpg

Discussion Starter · #3 · Nov 12, 2010

Have removed the bitdefender & vuze--I don't know who installed these on the machine and I have no use for them. AVG was quite a challenge to remove tho!

Save

RPMcMurphy

· #4 · Nov 12, 2010

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

Code:

http://forums.techguy.org/virus-other-malware-removal/961628-ie8-redirecting-random-pages.html
Collect::
c:\documents and settings\ricky\Application Data\sdfsdfgdsfgh.bat
c:\documents and settings\LocalService\Application Data\tempd.exe
c:\windows\system32\drivers\hejnf.sys
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\\\tt\\orders\\prg\\tt.exe"=-
FCopy::
c:\windows\ServicePackFiles\i386\spoolsv.exe | c:\windows\System32\spoolsv.exe

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

ComboFix log

See less See more

Save

jmcinwpg

Discussion Starter · #5 · Nov 12, 2010

ComboFix 10-11-11.02 - ricky 12/11/2010 16:17:12.8.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2554 [GMT -6:00]
Running from: c:\documents and settings\ricky\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ricky\Desktop\CFScript.txt
file zipped: c:\documents and settings\ricky\Application Data\sdfsdfgdsfgh.bat
file zipped: c:\windows\system32\drivers\hejnf.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\ricky\Application Data\sdfsdfgdsfgh.bat
c:\windows\system32\drivers\hejnf.sys
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\spoolsv.exe --> c:\windows\System32\spoolsv.exe
.
((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.
2010-11-12 17:01 . 2010-11-12 17:01 1409 ----a-w- c:\windows\QTFont.for
2010-11-10 22:26 . 2010-11-10 22:26 -------- d-----w- c:\documents and settings\ricky\Application Data\ElevatedDiagnostics
2010-11-10 21:56 . 2010-11-10 22:10 -------- d-----w- c:\program files\Unlocker
2010-11-10 17:38 . 2010-11-10 17:38 -------- d-----w- c:\windows\McAfee.com
2010-11-10 15:57 . 2010-11-10 15:57 65536 ----a-r- c:\documents and settings\ricky\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2010-11-10 15:57 . 2010-11-10 15:57 65536 ----a-r- c:\documents and settings\ricky\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\gui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2010-11-10 15:57 . 2010-11-10 15:57 65536 ----a-r- c:\documents and settings\ricky\Application Data\Microsoft\Installer\{2c557f98-ef74-4a1e-a856-9df2f633b41f}\ARPPRODUCTICON.exe
2010-11-10 15:57 . 2010-11-10 15:57 -------- d-----w- c:\program files\Sophos
2010-10-15 12:59 . 2010-10-15 12:59 -------- d-----w- c:\documents and settings\ricky\Application Data\AVG10
2010-10-14 21:32 . 2010-10-14 21:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-14 21:31 . 2010-11-12 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-14 21:31 . 2010-11-12 14:37 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-14 13:01 . 2010-10-14 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 08:45 . 2004-08-11 22:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((( [email protected]_15.25.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-12 21:23 . 2010-11-12 21:23 16384 c:\windows\temp\Perflib_Perfdata_4fc.dat
+ 2010-11-12 16:23 . 2005-09-20 10:17 17024 c:\windows\system32\ReinstallBackups\0026\DriverFiles\hpfxgen.sys
+ 2008-09-12 21:33 . 2006-04-05 03:19 17024 c:\windows\system32\drivers\hpfxgen.sys
- 2008-09-12 21:33 . 2005-09-20 10:17 17024 c:\windows\system32\drivers\hpfxgen.sys
+ 2004-08-11 22:00 . 2008-04-14 10:42 57856 c:\windows\system32\dllcache\spoolsv.exe
+ 2010-09-23 21:55 . 2010-09-23 21:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2010-09-23 08:26 . 2010-09-23 08:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2010-09-23 08:26 . 2010-09-23 08:26 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-09-23 08:26 . 2010-09-23 08:26 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-09-23 09:17 . 2010-09-23 09:17 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2010-09-23 09:17 . 2010-09-23 09:17 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
- 2003-02-21 00:19 . 2003-02-21 00:19 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-11-12 16:01 . 2010-11-12 16:01 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_84314bf5\System.Drawing.Design.dll
+ 2010-11-12 16:01 . 2010-11-12 16:01 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_559938d4\CustomMarshalers.dll
+ 2010-11-12 16:01 . 2010-11-12 16:01 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-04-16 23:26 . 2010-08-13 12:53 5120 c:\windows\system32\xpsp4res.dll
+ 2010-11-12 16:23 . 2005-09-20 10:22 9344 c:\windows\system32\ReinstallBackups\0026\DriverFiles\hpfxbulk.sys
+ 2008-09-12 21:33 . 2006-04-05 03:20 9344 c:\windows\system32\drivers\hpfxbulk.sys
- 2008-09-12 21:33 . 2005-09-20 10:22 9344 c:\windows\system32\drivers\hpfxbulk.sys
- 2008-09-12 21:33 . 2004-08-04 18:26 619520 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\UNIRES.DLL
+ 2008-09-12 21:33 . 2006-09-28 14:48 619520 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\UNIRES.DLL
+ 2008-09-12 21:33 . 2006-09-28 14:48 197120 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\UNIDRVUI.DLL
- 2008-09-12 21:33 . 2004-08-04 18:26 197120 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\UNIDRVUI.DLL
+ 2008-09-12 21:33 . 2006-09-28 14:48 269824 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\UNIDRV.DLL
+ 2008-09-12 21:33 . 2006-09-28 14:48 169472 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\pclxl.dll
- 2008-09-12 21:33 . 2004-07-10 09:56 169472 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\pclxl.dll
+ 2008-09-12 21:33 . 2006-11-29 23:26 671816 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\hpcdmc32.dll
+ 2010-11-12 16:23 . 2005-10-06 15:11 118784 c:\windows\system32\ReinstallBackups\0026\DriverFiles\hppcew02.dll
+ 2008-09-12 21:33 . 2007-01-06 00:07 188416 c:\windows\system32\hppcew02.dll
- 2008-09-12 21:33 . 2005-12-01 11:33 237568 c:\windows\system32\hppapr02.DLL
+ 2008-09-12 21:33 . 2006-09-07 01:42 237568 c:\windows\system32\hppapr02.dll
+ 2009-04-15 14:51 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
- 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2010-09-23 08:26 . 2010-09-23 08:26 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-09-23 08:25 . 2010-09-23 08:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-09-23 09:17 . 2010-09-23 09:17 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-04-26 21:34 . 2010-04-26 21:34 835584 c:\windows\assembly\temp\0A2UD5OGZ0\System.Drawing.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_cfc97fd0\System.Drawing.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_cc56eb4e\System.Drawing.Design.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_b621f507\CustomMarshalers.dll
+ 2008-09-12 21:33 . 2006-12-07 18:11 1740800 c:\windows\system32\spool\drivers\w32x86\hewlett_packardhp_co0f30\hpbcfgre.dll
- 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2010-09-23 21:55 . 2010-09-23 21:55 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2010-09-23 21:55 . 2010-09-23 21:55 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-09-23 08:26 . 2010-09-23 08:26 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-09-23 08:25 . 2010-09-23 08:25 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2008-05-28 05:48 . 2008-05-28 05:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-09-23 21:55 . 2010-09-23 21:55 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-04-26 21:33 . 2010-04-26 21:33 1232896 c:\windows\assembly\temp\Q9A2LDEFGQ\System.dll
+ 2010-04-26 21:34 . 2010-04-26 21:34 3018752 c:\windows\assembly\temp\IJBUME6YZR\System.Windows.Forms.dll
+ 2010-04-26 21:34 . 2010-04-26 21:34 3391488 c:\windows\assembly\temp\9SKLMNFGHI\mscorlib.dll
+ 2010-04-26 21:33 . 2010-04-26 21:33 1265664 c:\windows\assembly\temp\8IJTCM5OYH\System.Web.dll
+ 2010-04-26 21:33 . 2010-04-26 21:33 1966080 c:\windows\assembly\temp\123DEFPQR1\System.dll
+ 2010-04-26 21:34 . 2010-04-26 21:34 2088960 c:\windows\assembly\temp\0J2LV5FPQR\System.Xml.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_aeef229f\System.dll
+ 2010-11-12 16:01 . 2010-11-12 16:01 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_12472a91\System.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b8069e8c\System.Xml.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_8660e227\System.Xml.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_ca69289d\System.Windows.Forms.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_5975b116\System.Windows.Forms.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_d9a78d25\System.Drawing.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_b8f32c98\System.Design.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_880d04f0\System.Design.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_e8bed668\mscorlib.dll
+ 2010-11-12 16:02 . 2010-11-12 16:02 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_5de317ef\mscorlib.dll
+ 2010-11-12 16:01 . 2010-11-12 16:01 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2010-04-26 21:33 . 2010-04-26 21:33 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2010-04-26 21:33 . 2010-04-26 21:33 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-11-12 16:01 . 2010-11-12 16:01 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-09-15 17:37 . 2010-11-02 22:47 35758536 c:\windows\system32\MRT.exe
+ 2010-09-24 20:08 . 2010-09-24 20:08 11430400 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2416447\M2416447Uninstall.msp
+ 2010-09-24 13:08 . 2010-09-24 13:08 17518080 c:\windows\Installer\fc571.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-31 16860672]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2005-09-29 36864]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Global Payments Inc. GPN VPN Client.lnk - c:\program files\Global Payments\VPNClient\vpngui.exe [2009-1-7 1466384]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-19 17:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-06-20 00:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 16:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-03 15:51 136176 ----atw- c:\documents and settings\ricky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-09-24 06:08 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-12 21:06 155648 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2005-11-21 21:55 45056 ----a-w- c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Quark\\QuarkXPress\\QuarkXPress.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\Global Payments\\RetailPC34e\\RetailPC.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Apps\\Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009
"62514:UDP"= 62514:UDP:GPNVPN1
"62515:UDP"= 62515:UDP:GPNVPN2
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [06/08/2008 5:44 PM 8960]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 5:46 AM 284016]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [06/08/2008 5:44 PM 11264]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [06/08/2008 5:44 PM 16640]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2010-11-05 c:\windows\Tasks\1-Click Maintenance.job
- c:\apps\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 21:53]
2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1998792695-138084169-153664071-1005Core.job
- c:\documents and settings\ricky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-03 15:51]
2010-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1998792695-138084169-153664071-1005UA.job
- c:\documents and settings\ricky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-03 15:51]
2010-11-12 c:\windows\Tasks\User_Feed_Synchronization-{C70C03A5-B266-4436-BF8D-FCEB877DBEBD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\apps\MICROS~1\Office10\EXCEL.EXE/3000
Trusted Zone: facebook.com\www
TCP: {8CCD2F6D-232C-46A0-8A67-DC59778AAC66} = 192.168.0.1,205.200.16.65
DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxp://192.168.200.1/MLWebCacheCleaner.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\documents and settings\ricky\Application Data\Mozilla\Firefox\Profiles\ggym59vh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\ricky\Application Data\Mozilla\Firefox\Profiles\ggym59vh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\ricky\Application Data\Mozilla\Firefox\Profiles\ggym59vh.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\ricky\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\apps\Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\apps\Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-12 16:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-12 16:24:00
ComboFix-quarantined-files.txt 2010-11-12 22:23
ComboFix2.txt 2010-11-12 15:27
Pre-Run: 439,345,053,696 bytes free
Post-Run: 439,358,742,528 bytes free
- - End Of File - - F793F857FFCF278C5B900283782B2464

See less See more

Save

RPMcMurphy

· #6 · Nov 12, 2010

Please visit this site

In the Link to topic where this file was requested: field, enter the following:

http://forums.techguy.org/virus-other-malware-removal/961628-ie8-redirecting-random-pages.html

Click to expand...
In the Browse to the file you want to submit: field, click on browse and navigate to the following file:
C:\Qoobox\Quarantine\[4]-Submit_,<date>_.zip (the date & time will roughly be the time you last ran ComboFix)
In the comments field enter the following:

Failed submission

Click to expand...
Press the send file button.

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

MBAM log

See less See more

Save

jmcinwpg

Discussion Starter · #7 · Nov 15, 2010

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5120
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
15/11/2010 7:58:27 AM
mbam-log-2010-11-15 (07-58-27).txt
Scan type: Quick scan
Objects scanned: 155270
Time elapsed: 4 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

See less See more

Save

RPMcMurphy

· #8 · Nov 15, 2010

How is your computer running now? Please do this next:

Please run ESET Online Scanner

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

ESET log

How is your computer running now?

See less See more

Save

jmcinwpg

Discussion Starter · #9 · Nov 15, 2010

scan took a long time and found 40+ items (win32/olmarik.sc trojan, win32/adware.adon, win32/adware.fakeantispy.O.gen)..i could not see a details tab, only a finish button, then off to a screen to purchase program.?? I am now going to try running it again. Did I do something wrong with that?
btw...computer is running much better...no redirecting

Save

RPMcMurphy

· #10 · Nov 15, 2010

Be sure to copy and paste the details for me - I suspect that most, if not all, of the detections will be from the ComboFix quarantine and your system restore cache.

Save

jmcinwpg

Discussion Starter · #11 · Nov 15, 2010

nevermind that last post...i am an idiot haha

found the log file in the directory for it...

[email protected] as CAB hook log:
OnlineScanner.ocx - delete file error:The process cannot access the file because it is being used by another process.
OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2347b70af69f9b46b423c3e5729015b3
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-15 07:28:35
# local_time=2010-11-15 01:28:35 (-0600, Central Standard Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 1862591 1862591 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=182767
# found=34
# cleaned=0
# scan_time=3355
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\ricky\Application Data\hotfix.exe.vir a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At1.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At10.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At11.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At12.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At13.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At14.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At15.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At16.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At17.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At18.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At19.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At2.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At20.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At21.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At22.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At23.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At24.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At3.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At4.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At5.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At6.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At7.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At8.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At9.job.vir Win32/Adware.FakeAntiSpy.O.Gen application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP649\A0041910.lnk Win32/Adware.ADON application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP653\A0043756.lnk Win32/Adware.ADON application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP653\A0044753.exe a variant of Win32/Adware.FakeAntiSpy.S application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP654\A0045030.exe Win32/Olmarik.SC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0045252.lnk Win32/Adware.ADON application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0045253.lnk Win32/Adware.ADON application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0045259.exe a variant of Win32/PrimeCasino application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\A0045285.exe probably a variant of Win32/TrojanDropper.VB.HYDJMCN trojan 00000000000000000000000000000000 I

still running pretty good...i thought i saw firefox try to go to a different page other than the one i was trying to head to...but then it went to where i was going...no freeze ups, speed is more like normal.

See less See more

Save

RPMcMurphy

· #12 · Nov 15, 2010

As I suspected those are all either in the ComboFix quarantine or the system restore cache. All of those will be removed when we uninstall ComboFix.

Your logs look good. All I have left for you to do are another update and some very important cleanup:

Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

Uninstall ComboFix

Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
Combofix /Uninstall

Delete the following tools along with any other logs you saved from our work:

DDS
GMER

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Reinstall an anti-virus program. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

Restart any anti-malware programs that we disabled while we were cleaning your machine.
Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
Avoid using P2P programs. Refer back to my earlier post for more information.
Please this General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

See less See more

Save

jmcinwpg

Discussion Starter · #13 · Nov 16, 2010

Thank you so much for your time, you are amazing! Everything seems to be in order now...no more redirecting, and speedy again!

Save

RPMcMurphy

· #14 · Nov 16, 2010

You're very welcome. Take care.

Save

1 - 14 of 14 Posts

Status: Not open for further replies.

ie8 redirecting to random pages

jmcinwpg

Attachments

RPMcMurphy

jmcinwpg

Attachments

RPMcMurphy

jmcinwpg

RPMcMurphy

jmcinwpg

RPMcMurphy

jmcinwpg

RPMcMurphy

jmcinwpg

RPMcMurphy

jmcinwpg

RPMcMurphy

Top Contributors this Month