I ran combofix (again, as we had done that earlier already) and here's the log.
The joy about Firefox not re-directing Google searches was short live. It is doing it again...
ComboFix 09-10-28.01 - Verena 10/28/2009 22:32.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.543 [GMT -4:00]
Running from: c:\documents and settings\Verena\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.
2009-10-25 23:49 . 2009-10-25 23:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-25 20:50 . 2009-10-25 20:54 -------- d-----w- c:\program files\Cobian Backup 9
2009-10-16 02:22 . 2009-10-16 11:05 -------- d-----w- c:\windows\BDOSCAN8
2009-10-16 00:20 . 2009-10-16 00:20 -------- d-----w- c:\documents and settings\Verena\Application Data\Malwarebytes
2009-10-16 00:20 . 2009-10-16 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-15 23:13 . 2009-10-15 23:13 -------- d-----w- C:\VundoFix Backups
2009-10-15 02:04 . 2009-10-15 10:48 -------- d-----w- c:\program files\McAfee
2009-10-15 02:04 . 2009-10-15 10:48 -------- d-----w- c:\program files\Common Files\Network Associates
2009-10-15 02:04 . 2009-10-15 02:04 -------- d-----w- c:\program files\McAfee VirusScan Home Edition 7.02 Demo 30
2009-10-15 01:37 . 2009-10-15 01:37 -------- dc-h--w- c:\windows\ie8
2009-10-14 23:51 . 2009-10-14 23:51 -------- d-----w- c:\program files\Trend Micro
2009-10-14 22:56 . 2009-10-14 22:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-06 23:47 . 2009-10-13 22:22 -------- d-----w- c:\documents and settings\Benjamin\Application Data\LimeWire
2009-10-06 23:04 . 2009-10-06 23:04 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Titanium Gears
2009-10-06 23:03 . 2009-10-06 23:03 -------- d-----w- c:\program files\Music Oasis
2009-10-06 22:33 . 2009-10-06 22:33 -------- d-----w- c:\program files\ezlyrics
2009-10-06 22:32 . 2009-10-13 22:40 -------- d-----w- c:\documents and settings\Benjamin\.jajuk
2009-10-06 22:14 . 2009-10-15 10:44 -------- d-----w- c:\program files\Jajuk
2009-10-06 22:13 . 2009-10-06 22:31 -------- d-----w- c:\documents and settings\Benjamin\Local Settings\Application Data\Mixxx
2009-10-06 22:12 . 2009-10-06 22:13 -------- d-----w- c:\program files\Digital DJ Pro
2009-10-02 03:33 . 2009-10-02 03:33 -------- d-----w- c:\documents and settings\Verena\Application Data\OverDrive
2009-10-02 03:29 . 2009-10-02 03:29 -------- d-----w- c:\program files\OverDrive Media Console
2009-10-01 02:41 . 2009-10-01 02:41 -------- d-----w- C:\My Music
2009-09-30 21:40 . 2009-09-30 21:40 45904 ------w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 11:22 . 2009-10-14 02:23 -------- d-----w- c:\documents and settings\Verena\Local Settings\Application Data\Temp
2009-09-30 00:02 . 2009-09-30 00:02 -------- d-----w- c:\documents and settings\Verena\Local Settings\Application Data\Real
2009-09-30 00:01 . 2009-09-30 00:01 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-29 11:22 . 2009-09-29 11:29 -------- d-----w- c:\documents and settings\Christine\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 02:27 . 2009-06-09 22:53 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-29 02:27 . 2009-06-09 22:53 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-25 22:28 . 2005-04-17 18:17 -------- d-----w- c:\documents and settings\Verena\Application Data\Skype
2009-10-25 19:41 . 2007-05-03 14:01 -------- d-----w- c:\program files\ABC Amber PDF2Image Converter
2009-10-24 02:40 . 2005-02-21 13:34 -------- d-----w- c:\program files\Java
2009-10-20 00:15 . 2005-02-21 02:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-19 03:08 . 2005-02-21 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-14 11:02 . 2009-01-08 18:35 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-10-14 10:46 . 2007-12-26 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-14 00:17 . 2005-02-21 02:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 22:30 . 2009-03-16 18:12 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Skype
2009-10-10 03:26 . 2005-04-17 15:50 -------- d-----w- c:\program files\OpenOffice.org1.1.4
2009-10-08 00:35 . 2009-02-06 00:52 664 ------w- c:\windows\system32\d3d9caps.dat
2009-10-07 11:08 . 2005-06-12 21:40 -------- d-----w- c:\program files\LimeWire
2009-10-07 00:17 . 2008-04-02 23:47 -------- d-----w- c:\program files\TheWeatherNetwork
2009-10-03 19:00 . 2007-01-02 02:32 1100 ------w- c:\windows\system32\d3d8caps.dat
2009-10-03 18:07 . 2009-09-22 11:21 -------- d-----w- c:\documents and settings\Benjamin\Application Data\flightgear.org
2009-10-03 17:54 . 2009-09-21 22:18 413696 ------w- c:\windows\system32\wrap_oal.dll
2009-10-03 17:54 . 2009-09-21 22:18 110592 ------w- c:\windows\system32\OpenAL32.dll
2009-09-30 00:01 . 2005-03-09 06:19 -------- d-----w- c:\program files\Common Files\Real
2009-09-30 00:00 . 2006-03-18 17:46 -------- d-----w- c:\program files\Google
2009-09-23 12:55 . 2009-03-23 16:51 64288 ------w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 11:22 . 2009-09-22 11:22 -------- d-----w- c:\documents and settings\Benjamin\Application Data\fltk.org
2009-09-21 22:35 . 2009-09-21 22:14 -------- d-----w- c:\documents and settings\Verena\Application Data\flightgear.org
2009-09-21 22:18 . 2009-09-21 22:18 -------- d-----w- c:\program files\OpenAL
2009-09-11 14:18 . 2003-03-31 12:00 136192 ------w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ------w- c:\windows\system32\msasn1.dll
2009-09-03 09:17 . 2009-03-23 22:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-01 17:11 . 2005-05-25 11:55 45904 -c----w- c:\documents and settings\Benjamin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 12:06 . 2009-04-06 12:57 45904 ------w- c:\documents and settings\Christine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 14:58 . 2009-08-30 14:58 -------- d-----w- c:\documents and settings\Verena\Application Data\SanDisk
2009-08-29 08:08 . 2003-03-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2005-04-10 16:00 327896 ------w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-04-10 16:00 209632 ------w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ------w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2005-04-10 16:00 35552 ------w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-02-19 22:27 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2003-03-31 12:00 96480 ------w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2005-04-10 16:00 575704 ------w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-03-19 14:13 274288 ------w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-03-19 14:13 215920 ------w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2005-02-19 22:27 1929952 ------w- c:\windows\system32\wuaueng.dll
2009-08-06 23:09 . 2005-02-19 22:54 45904 -c----w- c:\documents and settings\Verena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2005-02-19 22:52 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 19:23 . 2008-11-02 18:02 411368 ------w- c:\windows\system32\deploytk.dll
2004-03-11 18:27 . 2005-02-19 23:11 40960 ------w- c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-25_23.43.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-02-19 22:32 . 2009-10-29 02:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-02-19 22:32 . 2009-02-18 13:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-02-19 22:32 . 2009-10-29 02:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-02-19 22:32 . 2009-02-18 13:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-25 23:49 . 2009-10-26 23:04 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-26 22:37 . 2009-10-29 02:30 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-02-19 22:32 . 2009-02-18 13:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Verena\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-08-30 79872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-04-06 1298542]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-07-12 176128]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-17 781656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-30 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Cobian Backup 9 interface"="c:\program files\Cobian Backup 9\cbInterface.exe" [2009-01-22 2749952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-2-20 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\e81390d7687]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=Digi32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Benjamin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Benjamin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Benjamin\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/23/2009 12:51 PM 64288]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 11:49 AM 77312]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2/21/2005 1:06 AM 6656]
R2 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\Cobian Backup 9\cbService.exe [10/25/2009 4:50 PM 583168]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/14/2009 8:31 PM 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1170768]
S2 gupdate1c9ef8d198317fe;Google Update Service (gupdate1c9ef8d198317fe);c:\program files\Google\Update\GoogleUpdate.exe [6/17/2009 4:49 PM 133104]
S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2/21/2005 1:06 AM 28672]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-10-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 23:20]
2009-08-03 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2003-03-31 00:12]
2009-07-08 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-03-31 00:12]
2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 20:49]
2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 20:49]
2009-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1604221776-725345543-1005Core.job
- c:\documents and settings\Benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-23 23:46]
2009-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1604221776-725345543-1005UA.job
- c:\documents and settings\Benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-23 23:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Verena\Application Data\Mozilla\Firefox\Profiles\umg9o2t7.Default User\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-10-28 22:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Netropa\Multimedia Keyboard\nhkdll.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-10-29 22:44
ComboFix-quarantined-files.txt 2009-10-29 02:44
ComboFix2.txt 2009-10-26 02:17
ComboFix3.txt 2009-10-25 23:50
Pre-Run: 53,699,018,752 bytes free
Post-Run: 53,678,759,936 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - FCF839AB6FCDDBA7F35C4B50F045522F
Welcome to Tech Support Guy! Read our Welcome Guide or take a minute to watch the video below!
Malware Removal & HijackThis Logs 
Search 
