Google redirect problem

[frodocyber]

I seem to have the recently popular Google redirect virus/malware. Regardless of the Google search term I use the results are always unrelated marketing related web site results. I downloaded StopSign anti virus scanning software that found and removed some problem items (according to Stopsign). Still have the same problem so have attached the log files requested. Using windows XP Home edition and IE 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 Any help in removing this problem is appreciated.

Frodocyber



DDS (Ver_09-02-01.01) - NTFSx86
Run by Compaq_Owner at 15:52:37.48 on Sat 02/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.232 [GMT -5:00]

AV: StopSign Antivirus FREE TRIAL diagnostic version *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/index.html
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [WildTangent CDA] "c:\program files\wildtangent\apps\cda\gamedrvr.exe" /startup "c:\program files\wildtangent\apps\cda\cdaEngine0500.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iamapp] c:\program files\norton internet security\IAMAPP.EXE
mRun: [NAV Agent] c:\progra~1\norton~1\navapw32.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe
mRun: [webscan] "c:\program files\acceleration software\anti-virus\stopsignav.exe" -k
mRun: [SoftwareStation] "c:\program files\eacceleration\station\station.exe" /b Startup
mRun: [eanth_critical_update_alert] c:\progra~1\accele~1\anti-v~1\EANTH_~1.EXE /Startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\winfax~2.lnk - c:\windows\system32\wfxsnt40.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\winfax~1.lnk - c:\program files\symantec\winfax\wfxctl32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
TCP: {782C3CFC-5924-4C68-B2AD-D5B102E227A5} = 69.50.57.10 137.118.1.32
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2009-2-13 111952]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe [2009-2-13 263504]
R2 NISSERV;Norton Internet Security Service;c:\program files\norton internet security\NISSERV.EXE [2001-8-30 62592]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2009-2-13 111952]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]
S2 XAMPP;XAMPP Service;f:\program files\xampplite\service.exe [2006-3-31 60928]
S3 NAVAP;NAVAP;c:\windows\system32\drivers\NAVAP.SYS [2001-8-3 182896]
S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2001-8-16 115792]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070919.037\NAVENG.Sys [2007-9-23 81232]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070919.037\NavEx15.Sys [2007-9-23 865904]

=============== Created Last 30 ================

2009-02-21 13:11 <DIR> --d----- c:\windows\pss
2009-02-14 19:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Raize
2009-02-14 19:03 <DIR> --d----- c:\program files\Adams Business Forms
2009-02-13 02:01 <DIR> --d----- c:\docume~1\compaq~1\applic~1\eAcceleration
2009-02-13 02:00 <DIR> --d----- c:\program files\Acceleration Software
2009-02-13 01:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\eAcceleration
2009-02-13 01:59 <DIR> --d----- c:\program files\eAcceleration
2009-02-13 01:59 <DIR> --d----- c:\program files\common files\eAcceleration
2009-02-12 12:18 64 a------- c:\windows\QBWCD.INI
2009-02-12 12:18 65,024 a------- c:\windows\Icg32.dll
2009-02-12 12:18 6,472 a------- c:\windows\Icoadb32.dat
2009-02-12 12:18 <DIR> --d----- c:\windows\Intuit
2009-02-10 09:53 10,820 a---h--- c:\windows\system32\jeterr35.GID

==================== Find3M ====================

2008-11-11 10:15 136 a---h--- c:\docume~1\compaq~1\applic~1\lakerda1967.sys

============= FINISH: 15:52:53.39 ===============

[TheBruce1]

Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear.

Please DO NOT Attach logs to your posts unless you are advised to do so.

========

First of i would remove StopSign Antivirus, as StopSign was once listed as a rogue antivirus.
http://msmvps.com/blogs/donna/archiv.../12/70160.aspx

=========

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

[frodocyber]

Combofix ran as advertised and log file attached. My system has two physical hard drives, C and F. I did not see any scan information related to the F drive. Is that a function that combofix should have known? Snow storm here so may lose power for a while but will be back on the forum as soon as possible.

ComboFix 09-02-21.01 - Compaq_Owner 2009-02-23 8:57:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.139 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\wdmaud.sys
c:\windows\winhelp.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-21 16:18 . 2009-02-21 16:18 250 --a------ c:\windows\gmer.ini
2009-02-14 19:22 . 2009-02-14 19:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raize
2009-02-14 19:03 . 2009-02-14 19:03 <DIR> d-------- c:\program files\Adams Business Forms
2009-02-12 12:18 . 2009-02-12 12:18 <DIR> d-------- c:\windows\Intuit
2009-02-12 12:18 . 1998-07-31 17:00 65,024 --a------ c:\windows\Icg32.dll
2009-02-12 12:18 . 1998-06-29 16:39 6,472 --a------ c:\windows\Icoadb32.dat
2009-02-12 12:18 . 2009-02-12 12:18 64 --a------ c:\windows\QBWCD.INI
2009-02-10 09:53 . 2009-02-10 09:53 10,820 --ah----- c:\windows\system32\jeterr35.GID

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 13:55 --------- d-----w c:\program files\Norton Internet Security
2009-02-23 13:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-21 19:00 --------- d-----w c:\program files\QuickTime
2009-02-21 18:08 --------- d-----w c:\program files\Sonic
2009-02-21 18:08 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-21 18:02 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Netscape
2009-02-13 13:33 --------- d-----w c:\program files\ASAP Utilities
2009-01-15 16:35 --------- d-----w c:\program files\Microsoft Office 97Pro
2008-11-11 15:15 136 ---ha-w c:\documents and settings\Compaq_Owner\Application Data\lakerda1967.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"iamapp"="c:\program files\Norton Internet Security\IAMAPP.EXE" [2001-08-30 373888]
"NAV Agent"="c:\progra~1\NORTON~1\navapw32.exe" [2001-08-16 74832]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-09-23 95960]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-02 180269]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
WinFax Application Port Starter.lnk - c:\windows\system32\wfxsnt40.exe [1996-11-05 36352]
WinFax PRO Controller.lnk - c:\program files\Symantec\WinFax\wfxctl32.exe [1997-04-30 400384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-12-02 36903]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

R2 NISSERV;Norton Internet Security Service;c:\program files\Norton Internet Security\NISSERV.EXE [2001-08-30 62592]
S2 XAMPP;XAMPP Service;f:\program files\xampplite\service.exe [2006-03-31 60928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2006-05-24 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1140641398.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2009-02-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2001-08-16 17:15]

2009-02-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\GameDrvr.exe
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/index.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 08:59:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mysql]
"ImagePath"="\"f:\program files\xampplite\mysql\bin\mysqld-nt\" \"--defaults-file=f:\program files\xampplite\mysql\bin\my.cnf\" mysql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-23 9:00:48
ComboFix-quarantined-files.txt 2009-02-23 14:00:42

Pre-Run: 140,136,275,968 bytes free
Post-Run: 140,566,347,776 bytes free

118 --- E O F --- 2007-09-22 23:04:15


Frodocyber

[TheBruce1]

Hello again

Hopefully there are no problems with the snowstorm.

Quote:

My system has two physical hard drives, C and F. I did not see any scan information related to the F drive. Is that a function that combofix should have known?

What is on the F drive.

=========

Also please read instructions carefully.

Quote:

Please DO NOT Attach logs to your posts unless you are advised to do so.

==========

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

WildTangent Web Driver(Optional)<---Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although its not technically considered spyware it does have built in components to update itself and gather information about the computer system including

* Operating System Version
* CPU Type and Speed
* Memory Amount
* Video Card type and Driver Version
* Sound Card type and Driver Version
* DirectX Version
* Location that the Web Driver was installed from

===========

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=-

Save the file as "Fix.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the Fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

==========

JAVA OUTDATED


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 12. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

=========

Download ATF-Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

==========

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

This animation will guide you through the process:




To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

==========

Run DDS again and post the DDS.txt in your reply along with the Kaspersky scan report for review. Also an update on how your system is running.

[frodocyber]

Finally completed the requested actions. Took a while with my slow dialup internet connection and very large file downloads. I was worrying all day that a power failure from the snow storm would interrupt the fun.

My F drive was retained from a previous computer since it contained many programs and data that was irreplacable. It is installed as a slave with the C drive as the master system drive. Works very fast with many programs on one drive and associated data on another. I have attached a screen shot of each to help clarify.

By the way Kaspersky did scan the F drive.

I have checked several searchs with Google and all is well again. Whatever had infected this machine seems to be gone now. Thanks a bunch for all you great effort. Is there anything else I need to do to wrap this up?

Frodocyber

Here is DDS:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Compaq_Owner at 23:42:36.62 on Mon 02/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.180 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\jkos-Compaq_Owner\binaries\ScanningProcess.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\Virus stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/index.html
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iamapp] c:\program files\norton internet security\IAMAPP.EXE
mRun: [NAV Agent] c:\progra~1\norton~1\navapw32.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\winfax~2.lnk - c:\windows\system32\wfxsnt40.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\winfax~1.lnk - c:\program files\symantec\winfax\wfxctl32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {782C3CFC-5924-4C68-B2AD-D5B102E227A5} = 69.50.57.10 137.118.1.32
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R2 NISSERV;Norton Internet Security Service;c:\program files\norton internet security\NISSERV.EXE [2001-8-30 62592]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]
S2 XAMPP;XAMPP Service;f:\program files\xampplite\service.exe [2006-3-31 60928]
S3 NAVAP;NAVAP;c:\windows\system32\drivers\NAVAP.SYS [2001-8-3 182896]
S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2001-8-16 115792]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070919.037\NAVENG.Sys [2007-9-23 81232]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070919.037\NavEx15.Sys [2007-9-23 865904]

=============== Created Last 30 ================

2009-02-23 15:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-23 15:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-23 08:57 161,792 a------- c:\windows\SWREG.exe
2009-02-23 08:57 98,816 a------- c:\windows\sed.exe
2009-02-21 16:18 250 a------- c:\windows\gmer.ini
2009-02-21 13:11 <DIR> --d----- c:\windows\pss
2009-02-14 19:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Raize
2009-02-14 19:03 <DIR> --d----- c:\program files\Adams Business Forms
2009-02-12 12:18 64 a------- c:\windows\QBWCD.INI
2009-02-12 12:18 65,024 a------- c:\windows\Icg32.dll
2009-02-12 12:18 6,472 a------- c:\windows\Icoadb32.dat
2009-02-12 12:18 <DIR> --d----- c:\windows\Intuit
2009-02-10 09:53 10,820 a---h--- c:\windows\system32\jeterr35.GID

==================== Find3M ====================

2008-11-11 10:15 136 a---h--- c:\docume~1\compaq~1\applic~1\lakerda1967.sys

============= FINISH: 23:43:01.73 ===============


And here is KAS:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, February 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 24, 2009 01:08:38
Records in database: 1836295
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
J:\
K:\
L:\
M:\

Scan statistics:
Files scanned: 134384
Threat name: 2
Infected objects: 6
Suspicious objects: 2
Duration of the scan: 02:27:48


File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Owner\Application Data\Identities\{5E41BDC3-3E9B-4A7D-ADED-969491FFC466}\Microsoft\Outlook Express\Family.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Compaq_Owner\Application Data\Identities\{5E41BDC3-3E9B-4A7D-ADED-969491FFC466}\Microsoft\Outlook Express\scam folder.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\hp\bin\wbug\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\Apps\APP26745\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\Apps\APP26745\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.

[frodocyber]

Oops! Forgot the screen shots!

[TheBruce1]

Hello again

Just a few thing to tidy up.

Quote:

C:\Documents and Settings\Compaq_Owner\Application Data\Identities\{5E41BDC3-3E9B-4A7D-ADED-969491FFC466}\Microsoft\Outlook Express\Family.dbx
C:\Documents and Settings\Compaq_Owner\Application Data\Identities\{5E41BDC3-3E9B-4A7D-ADED-969491FFC466}\Microsoft\Outlook Express\scam folder.dbx

You`ll need to clear/delete the e-mails stored in those highlighted folders as Kaspersky has flagged one or more of them as Trojan-Spy.HTML.Fraud.gen 1. We do not know which ones are being flagged, so it would be best if you cleared them all.

==========

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"D:\I386\Apps\APP26745\src\CompaqPresario_Spring06.exe"
"D:\I386\Apps\APP26745\src\HPPavillion_Spring06.exe"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"C:\hp\bin\wbug"
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause

nircmd wait 7000
del %0

Save this as Delete.bat Choose to "Save type as - All Files"
It should look like this:
Double click on Delete.bat & allow it to run. You may delete the file afterwards.

===========

If there are no further issues, continue below.

==========

Delete DDS from your desktop.

Click Start>Run and type or copy/paste the following command then hit enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd

You can keep ATF-Cleaner if you wish, otherwise delete from desktop.

============

Well done, your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

============

Clear IE6 cookies

*Open IE and click Tools
*Click on Internet Options
*Click on General Tab
*Click on Delte Temp Files & Cookies buttons.


Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.


Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.


For Internet Explorer users:
WOT for IE

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
Malwarebytes ' Anti-Malware

SpywareBlaster to help prevent spyware from installing in the first place.

• Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items

------------------------------------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Secunia PSI is a programme that will alert you to vulnerabilities and outdated programs you have installed, such as Java, Flash Player and many more.

It can also alert you if you have not installed the latest patches from Microsoft.

==============================================

Also, please take a look at this well written article:

PC Safety and Security--What Do I Need?

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.

[frodocyber]

Thanks for all your good work. PC is back to normal again.

Frodocyber

[TheBruce1]

You`re welcome, take care