Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Network, good; Internet, bad
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Go to first new post Cannot access any google sites - youtube ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Fake Antivirus followed by Google redirect, help!

Page 1 of 3 1 23
Reply  
Thread Tools
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 06:53 PM #1
Fake Antivirus followed by Google redirect, help!
Last night I got a fake Antivirus warning on my computer, I scanned with MBAM, Spybot and AVG and that seemed to remove it, but now I have constant Google redirects and pop ups. I have run MBAM multiple times (8 so far) and it continues to find trojans every single time. Not sure what to do.

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:48:16 PM, on 05/09/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Qpizia.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hide My IP 2007\SecureSrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
c:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mapp.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\VS7JIT.EXE
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Qwm.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 winwarepro.microsoft.com
O1 - Hosts: 91.212.127.226 winwarepro.com
O1 - Hosts: 91.212.127.226 www.winwarepro.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mapp.exe" /runcleanupscript
O4 - HKLM\..\Run: [Acronis Toolbar Helper] rundll32.exe "C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll", StartProt
O4 - HKLM\..\Run: [awwxxwaudio] rundll32.exe "fcbxvs.dll",s
O4 - HKLM\..\Run: [cbxwursys] rundll32.exe "jkjifd.dll",s
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [XBV6RD5SZF] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Qwm.exe
O4 - HKCU\..\Run: [khebcdaudio] rundll32.exe "fcbxvs.dll",s
O4 - HKUS\S-1-5-18\..\Run: [iifedasys] rundll32.exe "jkjifd.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [khecccaudio] rundll32.exe "fcbxvs.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iifedasys] rundll32.exe "jkjifd.dll",s (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/20.10/uploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199562376500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\winamnc.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2007\SecureSrv.exe
O23 - Service: Windows System Backup Dumper (winbackupdumper-id19efPdawkNJm) - Unknown owner - C:\WINDOWS\system32\winbudump.exe
--
End of file - 13633 bytes
Register for free to hide this ad!
Raktor's Avatar
Member with 33 posts.
  
Join Date: Sep 2010
Experience: Einstein
05-Sep-2010, 08:35 PM #2
Hi, welcome to the TSG Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:

  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.


1) MBRCheck
Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.


2) DDS
Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

3) GMER
Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


4) What You Will Need To Post:
  • MBRCheck log
  • DDS logs
  • GMER log
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 08:40 PM #3
Thank you! Here is the MBRcheck log, other logs to follow shortly.

MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x000003dc
Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E2000 \WINDOWS\system32\hal.dll
0xF7A7C000 \WINDOWS\system32\KDCOM.DLL
0xF798C000 \WINDOWS\system32\BOOTVID.dll
0xF757C000 klmdb.sys
0xF744D000 ACPI.sys
0xF7A7E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF743C000 pci.sys
0xF758C000 isapnp.sys
0xF759C000 ohci1394.sys
0xF75AC000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7B44000 pciide.sys
0xF77FC000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A80000 viaide.sys
0xF7A82000 intelide.sys
0xF75BC000 MountMgr.sys
0xF741D000 ftdisk.sys
0xF7A84000 tsk13.tmp
0xF73F7000 dmio.sys
0xF7804000 PartMgr.sys
0xF75CC000 VolSnap.sys
0xF7322000 iaStor.sys
0xF730A000 atapi.sys
0xF72C7000 ftsata2.sys
0xF72AF000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF75DC000 disk.sys
0xF75EC000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF728F000 fltMgr.sys
0xF727D000 sr.sys
0xF75FC000 bb-run.sys
0xF760C000 PxHelp20.sys
0xF7266000 KSecDD.sys
0xF71D9000 Ntfs.sys
0xF71AC000 NDIS.sys
0xF7191000 Mup.sys
0xF768C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF664B000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6637000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF791C000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6614000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7924000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF769C000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76AC000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76BC000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF65F1000 \SystemRoot\system32\DRIVERS\ks.sys
0xF792C000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF65CC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7934000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF65B8000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76CC000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF793C000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF7944000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7ABA000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF794C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7ABC000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF64AC000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7954000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6499000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF76DC000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7A68000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xF7B79000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76EC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A6C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6482000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76FC000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF770C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF795C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6471000 \SystemRoot\system32\DRIVERS\psched.sys
0xF771C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7964000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF796C000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6440000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF772C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7ABE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF63E7000 \SystemRoot\system32\DRIVERS\update.sys
0xF7161000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF773C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF776C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AC0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF1EF6000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF1ED4000 \SystemRoot\system32\drivers\portcls.sys
0xF778C000 \SystemRoot\system32\drivers\drmk.sys
0xF7AC6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C2A000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AC8000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7814000 \SystemRoot\System32\drivers\vga.sys
0xF7ACA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7ACC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7854000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF785C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF1EC0000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF1DF0000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF1D98000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF1D70000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1D4F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF779C000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF1EB0000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF1D2D000 \SystemRoot\System32\drivers\afd.sys
0xF77AC000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF1D02000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF77BC000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF1C6B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF77CC000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7864000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7874000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xF1C1A000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF1BF7000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF1BDF000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B0C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF1EC4000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78DC000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C20000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF051000 \SystemRoot\System32\ati2cqag.dll
0xBF08A000 \SystemRoot\System32\atikvmag.dll
0xBF0BF000 \SystemRoot\System32\ati3duag.dll
0xBF30C000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB85CC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8274000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB825F000 \SystemRoot\system32\drivers\wdmaud.sys
0xB8358000 \SystemRoot\system32\drivers\sysaudio.sys
0xB7F28000 \SystemRoot\System32\Drivers\HTTP.sys
0xB7E81000 \SystemRoot\system32\DRIVERS\srv.sys
0xB81B4000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB6FF6000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 63):
0 System Idle Process
4 System
648 C:\WINDOWS\system32\smss.exe
720 csrss.exe
748 C:\WINDOWS\system32\winlogon.exe
796 C:\WINDOWS\system32\services.exe
808 C:\WINDOWS\system32\lsass.exe
996 C:\WINDOWS\system32\ati2evxx.exe
1016 C:\WINDOWS\system32\svchost.exe
1104 svchost.exe
1144 C:\WINDOWS\system32\svchost.exe
1236 svchost.exe
1308 svchost.exe
1364 C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
1600 C:\WINDOWS\system32\spoolsv.exe
1712 C:\WINDOWS\system32\ati2evxx.exe
1748 svchost.exe
1804 C:\WINDOWS\explorer.exe
1908 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1948 C:\WINDOWS\arservice.exe
2008 C:\WINDOWS\system32\rundll32.exe
2036 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
176 C:\Program Files\Bonjour\mDNSResponder.exe
244 C:\WINDOWS\ehome\ehrecvr.exe
476 C:\WINDOWS\ehome\ehSched.exe
1208 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1500 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1688 svchost.exe
1728 C:\WINDOWS\system32\svchost.exe
2072 C:\WINDOWS\system32\winbudump.exe
2140 C:\Program Files\AVG\AVG8\avgrsx.exe
2264 mcrdsvc.exe
3016 alg.exe
3148 C:\WINDOWS\system32\dllhost.exe
3268 C:\WINDOWS\ehome\ehtray.exe
3312 C:\WINDOWS\arpwrmsg.exe
3388 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3420 C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
3480 C:\WINDOWS\ehome\ehmsas.exe
3500 C:\Program Files\Hide My IP 2007\SecureSrv.exe
3572 C:\Program Files\iTunes\iTunesHelper.exe
3688 C:\WINDOWS\system32\rundll32.exe
3708 C:\WINDOWS\system32\rundll32.exe
3828 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3856 C:\WINDOWS\system32\ctfmon.exe
3872 C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
696 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
1380 C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
1416 C:\Program Files\WinZip\WZQKPICK.EXE
2172 C:\Program Files\iPod\bin\iPodService.exe
2824 C:\WINDOWS\system32\wuauclt.exe
3304 C:\WINDOWS\system32\msiexec.exe
3476 C:\WINDOWS\system32\msiexec.exe
2176 C:\hp\KBD\kbd.exe
500 C:\WINDOWS\RTHDCPL.EXE
3396 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
3968 C:\WINDOWS\system\hpsysdrv.exe
1228 C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
2716 C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
872 C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Qwm.exe
3012 C:\WINDOWS\system32\ctfmon.exe
1832 C:\Program Files\Internet Explorer\iexplore.exe
3400 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`20af2e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
PhysicalDrive0 Model Number: ST3300831AS, Rev: 3.03
Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972

Done!
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 08:50 PM #4
I'm not sure how to disable script blocking protection to run the DDS tool. I have disabled all my security programs.
Raktor's Avatar
Member with 33 posts.
  
Join Date: Sep 2010
Experience: Einstein
05-Sep-2010, 08:58 PM #5
Disabling your security programs should be enough - give it a run.
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 09:03 PM #6
Ok, here is the DDS report and attachment.

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 17:00:12.54 on 05/09/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.294 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\winbudump.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hide My IP 2007\SecureSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
c:\WINDOWS\system32\MsiExec.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Qpizia.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Qwm.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com
============== Pseudo HJT Report ===============
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ljggfgaudio] rundll32.exe "fcbxvs.dll",s
uRun: [XBV6RD5SZF] c:\docume~1\hp_adm~1\locals~1\temp\Qwm.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Acronis Toolbar Helper] rundll32.exe "c:\documents and settings\hp_administrator\local settings\application data\desktop cleanup wizard\dskclnwiz.dll", StartProt
mRun: [hggfggsys] rundll32.exe "jkjifd.dll",s
mRun: [hgdeebaudio] rundll32.exe "fcbxvs.dll",s
dRun: [iifedasys] rundll32.exe "jkjifd.dll",s
dRun: [khecccaudio] rundll32.exe "fcbxvs.dll",s
mExplorerRun: [NoActiveDesktopChanges] 00000000
mExplorerRun: [NoActiveDesktop] 0 (0x0)
mExplorerRun: [NoSaveSettings] 0 (0x0)
mExplorerRun: [ClassicShell] 0 (0x0)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\securenet.dll
Trusted Zone: trymedia.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/20.10/uploader2.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199562376500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: TPSvc - TPSvc.dll
AppInit_DLLs: c:\windows\system32\winamnc.dll
LSA: Authentication Packages = msv1_0 jkjifd.dll
Hosts: 91.212.127.226 winwarepro.microsoft.com
Hosts: 91.212.127.226 winwarepro.com
Hosts: 91.212.127.226 www.winwarepro.com
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-29 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-17 27784]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-8-27 566616]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-29 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 winbackupdumper-id19efPdawkNJm;Windows System Backup Dumper;c:\windows\system32\winbudump.exe [2010-9-4 12288]
R3 SecureSrv;SecureSrv;c:\program files\hide my ip 2007\SecureSrv.exe [2007-9-17 368718]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
============== File Associations ===============
.scr=AutoCADScriptFile
=============== Created Last 30 ================
2010-09-05 06:34:44 1456 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-05 05:13:11 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-09-05 05:05:41 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-09-05 04:34:24 75776 ---ha-w- c:\windows\system32\fcbxvs.dll
2010-09-05 04:29:53 92672 --sha-r- c:\windows\system32\ssbezierm.dll
2010-09-05 04:29:47 197632 ----a-w- c:\windows\Qpizia.exe
2010-09-05 04:29:12 39936 ----a-w- c:\windows\system32\winamnc_backup.dll
2010-09-05 04:29:08 83968 ---ha-w- c:\windows\system32\jkjifd.dll
2010-09-05 04:29:05 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-09-05 04:28:56 0 d-sh--w- c:\documents and settings\hp_administrator\.COMMgr
2010-09-05 04:28:53 12288 ----a-w- c:\windows\system32\winbudump.exe
2010-09-05 04:28:52 39936 ----a-w- c:\windows\system32\winamnc.dll
2010-09-05 04:28:13 0 d-----w- c:\docume~1\hp_adm~1\applic~1\95A1655AC7E05C98C37DC415105BA67B
==================== Find3M ====================
2010-09-05 23:15:45 5888 ----a-w- c:\windows\system32\drivers\dmload.sys
2010-06-14 14:30:28 743936 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
2006-06-26 05:12:23 11817800 ----a-w- c:\program files\GoogleEarth.exe
============= FINISH: 17:00:50.82 ===============
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 09:08 PM #7
Here is the Gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-05 17:07:08
Windows 5.1.2600 Service Pack 2
Running: 3bsqjn4h.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\fxldypoc.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Raktor's Avatar
Member with 33 posts.
  
Join Date: Sep 2010
Experience: Einstein
05-Sep-2010, 09:10 PM #8
Download Combofix to your desktop from any of the links below.

Link 1
Link 2


==================================

Double click on ComboFix.exe & follow the prompts. Ensure that you accept the Recovery Console install.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 09:30 PM #9
I get an error message that says:

Error - Win32 only

Incompatible OS. ComboFix ony works for worksations with Windows 2000 and XP
(repeated in a bunch of languages)

And then another box pops up titled DISCLAIMER OF WARRANTY ON SOFTWARE with a bunch of warnings about unaffiliated websites.
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 09:34 PM #10
Now I get a message telling me that ComboFix has detected that AVG is active and that I must disable it, though I disabled it in the systems tray already?
Raktor's Avatar
Member with 33 posts.
  
Join Date: Sep 2010
Experience: Einstein
05-Sep-2010, 09:49 PM #11
Note: We recommend that you save these instructions to your desktop, or print them out, as we will be going into Safe Mode during part of this fix. Select all of the text, copy (Ctrl+C) and paste (Ctrl+V) to a Notepad (Start->Programs->Accessories) document, then save (Ctrl+S) to your desktop.

Please reboot your computer in Safe Mode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.


Rename Combofix.exe to attila.exe, then double click on attila.exe to run it.
Accept the disclaimer of warranty, recovery console etc., and click through the prompts if it warns you about AVG still being active.
Then post the log from C:\Combofix.txt.
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 10:44 PM #12
Ok, that didn't work. Everything went fine until ComboFix started running. Then I got a message saying it couldn't run because I didn't have microsoft recovery console, and it asked me if I wanted it to download/install it. I said yes, and then it told me it couldn't because I wasn't connected to the internet. I could not get any connection to the internet, though when I restarted the computer again I could (obviously, since I'm here).

Isn't there a way to completely disable AVG to run ComboFix without going into safe mode? I've closed it from the systems tray but what about ending the process in task manager?

Also, my Google home page is suddenly in French???
Raktor's Avatar
Member with 33 posts.
  
Join Date: Sep 2010
Experience: Einstein
05-Sep-2010, 10:46 PM #13
Follow the instructions again, but go into Safe Mode with Networking - my mistake. Normally AVG disables fine just from the tray icon, it must just be temperamental today. Go for the Safe Mode option.
attila53's Avatar
Junior Member with 27 posts.
  
Join Date: Sep 2010
Experience: Beginner
05-Sep-2010, 11:25 PM #14
Ok, here's the ComboFix log, finally!

Also, not sure if this is relevant, but when ComboFix rebooted my computer I got 6 RUNDLL error messages saying various modules could not be found.

ComboFix 10-09-04.06 - HP_Administrator 05/09/2010 19:01:30.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.621 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\attila.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HP_Administrator\.COMMgr
c:\documents and settings\HP_Administrator\Local Settings\Application Data\9759320967.exe
c:\documents and settings\HP_Administrator\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
c:\documents and settings\HP_Administrator\Local Settings\Application Data\Windows Server
c:\documents and settings\HP_Administrator\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\HP_Administrator\Local Settings\Application Data\Windows Server\server.dat
c:\windows\Qpizia.exe
c:\windows\system32\fcbxvs.dll
c:\windows\system32\jkjifd.dll
c:\windows\system32\mlmnkh.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.
2010-09-05 05:13 . 2010-09-05 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-05 05:08 . 2010-09-05 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-05 05:05 . 2010-09-05 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-05 04:29 . 2010-09-05 04:29 92672 --sha-r- c:\windows\system32\ssbezierm.dll
2010-09-05 04:29 . 2010-09-05 04:28 39936 ----a-w- c:\windows\system32\winamnc_backup.dll
2010-09-05 04:29 . 2010-09-06 02:06 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Desktop Cleanup Wizard
2010-09-05 04:29 . 2010-09-05 04:29 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-09-05 04:28 . 2010-09-05 04:29 12288 ----a-w- c:\windows\system32\winbudump.exe
2010-09-05 04:28 . 2010-09-05 04:29 39936 ----a-w- c:\windows\system32\winamnc.dll
2010-09-05 04:28 . 2010-09-05 04:29 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\95A1655AC7E05C98C37DC415105BA67B
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 23:15 . 2004-08-10 05:00 5888 ----a-w- c:\windows\system32\drivers\dmload.sys
2010-09-05 06:46 . 2010-09-05 06:34 1456 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-05 06:43 . 2009-11-07 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 05:26 . 2010-09-05 05:30 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-09-05 05:07 . 2010-09-05 05:05 80729096 ----a-w- c:\documents and settings\All Users\Application Data\PC Tools\DownloadManager\Spyware Doctor8.0\sdsetup_aff_dl.exe
2010-09-05 04:35 . 2006-04-03 16:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Azureus
2010-09-04 06:31 . 2010-02-06 04:23 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2010-08-31 03:55 . 2006-12-11 01:14 -------- d-----w- c:\program files\My Photo Calendars & Cards
2010-06-23 02:26 . 2010-06-23 02:26 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb24.tmp.exe
2010-06-14 14:30 . 2004-08-10 05:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2006-06-26 05:12 . 2006-06-26 05:12 11817800 ----a-w- c:\program files\GoogleEarth.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 68856]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explo rer\Run]
"NoActiveDesktopChanges"="00000000" [X]
"NoActiveDesktop"="0 (0x0)" [X]
"NoSaveSettings"="0 (0x0)" [X]
"ClassicShell"="0 (0x0)" [X]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-27 27136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-3 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-12-27 36903]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-4-29 122880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 15:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/10/2008 3:04 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/10/2008 3:03 PM 297752]
R2 winbackupdumper-id19efPdawkNJm;Windows System Backup Dumper;c:\windows\system32\winbudump.exe [04/09/2010 9:28 PM 12288]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2007\SecureSrv.exe [17/09/2007 11:08 PM 368718]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 9:04 PM 135664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 04:03]
2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 04:03]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\windows\system32\securenet.dll
Trusted Zone: trymedia.com
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-ljggfgaudio - fcbxvs.dll
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-Acronis Toolbar Helper - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Desktop Cleanup Wizard\dskclnwiz.dll
HKLM-Run-hggfggsys - jkjifd.dll
HKLM-Run-hgdeebaudio - fcbxvs.dll
HKLM-Run-urrppnaudio - mlmnkh.dll
HKU-Default-Run-iifedasys - jkjifd.dll
HKU-Default-Run-khecccaudio - fcbxvs.dll
HKU-Default-Run-mligedaudio - mlmnkh.dll
Notify-TPSvc - TPSvc.dll
SafeBoot-klmdb.sys

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 19:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\securenet.dll
- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-09-05 19:21:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-06 02:21
Pre-Run: 5,538,217,984 bytes free
Post-Run: 4,637,061,120 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - 13B6C899AA9BBEE23A7A9B68150F3CFE
Raktor's Avatar
Member with 33 posts.
  
Join Date: Sep 2010
Experience: Einstein
05-Sep-2010, 11:45 PM #15
You might have to do this all in Safe Mode with Networking again.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Registry::
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explo rer\Run]
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 3 1 23

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
Looks like google redirect, help please ! tigron Virus & Other Malware Removal 1 24-Mar-2010 02:14 PM
Google redirect & fake security alert higbee32 Virus & Other Malware Removal 0 01-Mar-2010 02:43 PM
Google redirects following infection humbl3d Virus & Other Malware Removal 3 07-Dec-2009 03:15 AM
Google Redirect Search msdredz Virus & Other Malware Removal 0 02-Jun-2009 09:01 PM
Google Redirect Virus. Help! ro2006 Virus & Other Malware Removal 0 28-Mar-2009 01:04 PM


Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:17 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.