firefox redirect, cannot restore point, cannot log into most virus sites

[uhty]

Hi there, 1st timer here and would like to thank you all in advance.

My symptoms;

The Firefox home page <hXXp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official> goes in circular redirect with google.com. In which I get a redirect loop message.

When clicking on search result for spybot or some (not all) spyware removal site, I get redirected to <hxxp://72.233.75.196/click.php?c=be1b2e69092574e8f8456a2a7f00>, but most times it goes direct to msn.com.au

When starting a new tab and i copy the url to the address, I get an address not found error. I only get this error on some spyware removal sites. This action works on other sites like news.

I was able to install Spybot but it cannot download the includes. So, I downloaded the includes from another machine and installed it. But, when I run Spybot, it just goes minimised in the same place as I can see my norton 360 minimised (right lower corner where I can see the clock, webcam, network and other icons.)

I tried windows defender and had the same problem with downloading a required file.

Thanks for any help. Here is the DDS


DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Administrator at 11:52:06.48 on Fri 13/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1417 [GMT 11:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\BotSpy\TeaTimer.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\sandbox\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=64&bd=PAVILION&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\botspy\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\botspy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [TomTomHOME.exe] "c:\program files\tomtom home\TomTomHOME.exe" -s
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\botspy\SDHelper.dll
DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yuplapp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {00467398-86AE-4796-B2E2-15604877021E} = 85.255.112.39,85.255.112.40
TCP: {5B1431C2-F5AA-47FB-94A0-0465BFD090B5} = 85.255.112.39,85.255.112.40
TCP: {825C5192-C8F7-4B26-AEC7-5978953451B2} = 85.255.115.29,85.255.112.140
TCP: {966C6185-1159-4DF4-8A6B-91DC442366A7} = 85.255.115.29,85.255.112.140
TCP: {D1ED57DB-54BC-4A28-882E-3073C1B6101A} = 85.255.115.29,85.255.112.140
TCP: {FCA55BD7-51DB-4CB6-A17C-FAE37464625F} = 85.255.115.29,85.255.112.140
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: urebgncr - urebgncr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\3k2lf3p9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\3k2lf3p9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2008-2-19 214888]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-19 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-14 1245064]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-3-12 603904]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-8-14 2829696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090312.019\NAVENG.SYS [2009-3-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090312.019\NAVEX15.SYS [2009-3-13 876144]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-8-14 468768]
S2 gupdate1c985eab8f3c156;Google Update Service (gupdate1c985eab8f3c156);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\fardrive.sys --> c:\windows\system32\drivers\FarDrive.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-1-2 13352]

=============== Created Last 30 ================

2009-03-13 00:10 <DIR> --d----- c:\program files\BotSpy
2009-03-12 20:29 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-12 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-12 17:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Fighters
2009-03-12 16:05 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-03-12 16:05 27,904 a------- c:\windows\system32\uxtuneup.dll
2009-03-12 16:05 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2009-03-12 16:05 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\TuneUp Software
2009-03-12 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-03-12 16:05 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-03-12 16:04 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-11 12:35 <DIR> --d----- c:\program files\Citrix
2009-03-11 12:35 60,744 a------- c:\documents and settings\hp_administrator\g2mdlhlpx.exe
2009-02-26 19:47 <DIR> --d----- c:\program files\Lavasoft
2009-02-19 14:11 <DIR> --dsh--- c:\documents and settings\hp_administrator\IETldCache
2009-02-19 12:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 12:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 11:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys
2009-02-19 11:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 11:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 11:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 11:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 11:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 11:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 11:31 37,424 a------- c:\windows\system32\drivers\symndis.sys
2009-02-19 11:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 11:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-02-18 20:57 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-18 20:57 81,920 a------- c:\windows\system32\dllcache\ieencode.dll
2009-02-18 20:55 13,288,856 a------- C:\mpas-fe.exe
2009-02-18 19:10 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-02-16 14:32 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-16 13:46 <DIR> --d----- c:\program files\Mozilla Firefox 3.1 Beta 2
2009-02-16 13:17 <DIR> --d----- C:\N360_BACKUP
2009-02-15 12:11 <DIR> --d----- c:\windows\Simple Port Forwarding
2009-02-15 00:36 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-02-15 00:36 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-02-15 00:36 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-02-15 00:36 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-02-15 00:35 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-02-15 00:35 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-02-15 00:35 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-02-15 00:35 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-02-15 00:35 12,063 a------- c:\windows\system32\dllcache\wsiintxx.sys
2009-02-15 00:35 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-02-15 00:35 8,832 a------- c:\windows\system32\dllcache\wmiacpi.sys
2009-02-15 00:35 154,624 a------- c:\windows\system32\dllcache\wlluc48.sys
2009-02-15 00:35 34,890 a------- c:\windows\system32\dllcache\wlandrv2.sys
2009-02-15 00:35 771,581 a------- c:\windows\system32\dllcache\winacisa.sys
2009-02-15 00:33 7,556 a------- c:\windows\system32\dllcache\usroslba.sys
2009-02-15 00:32 525,568 a------- c:\windows\system32\dllcache\tridxp.dll
2009-02-15 00:31 36,640 a------- c:\windows\system32\dllcache\t2r4mini.sys
2009-02-15 00:30 106,584 a------- c:\windows\system32\dllcache\spdports.dll
2009-02-15 00:29 157,696 a------- c:\windows\system32\dllcache\sisv256.dll
2009-02-15 00:28 23,936 a------- c:\windows\system32\dllcache\sccmn50m.sys
2009-02-15 00:27 86,097 a------- c:\windows\system32\dllcache\reslog32.dll
2009-02-15 00:26 19,840 a------- c:\windows\system32\dllcache\philtune.sys
2009-02-15 00:25 31,872 a------- c:\windows\system32\dllcache\ovce.sys
2009-02-15 00:24 27,936 a------- c:\windows\system32\dllcache\n9i3d.sys
2009-02-15 00:23 320,384 a------- c:\windows\system32\dllcache\mgaum.sys
2009-02-15 00:22 26,624 a------- c:\windows\system32\dllcache\irstusb.sys
2009-02-15 00:21 488,383 a------- c:\windows\system32\dllcache\hsf_v124.sys
2009-02-15 00:20 119,296 a------- c:\windows\system32\dllcache\hpdigwia.dll
2009-02-15 00:19 34,816 a------- c:\windows\system32\dllcache\esuimg.dll
2009-02-15 00:18 29,696 a------- c:\windows\system32\dllcache\dm9pci5.sys
2009-02-15 00:17 14,976 a------- c:\windows\system32\dllcache\cpqarray.sys
2009-02-15 00:16 104,832 a------- c:\windows\system32\dllcache\atiraged.dll
2009-02-14 11:48 <DIR> --d----- C:\NSS
2009-02-13 11:45 98,856 a------- c:\windows\system32\drivers\s117unic.sys
2009-02-13 11:45 10,792 a------- c:\windows\system32\drivers\s117cr.sys
2009-02-13 11:45 100,264 a------- c:\windows\system32\drivers\s117mgmt.sys
2009-02-13 11:45 98,344 a------- c:\windows\system32\drivers\s117obex.sys
2009-02-13 11:45 108,456 a------- c:\windows\system32\drivers\s117mdm.sys
2009-02-13 11:45 22,952 a------- c:\windows\system32\drivers\s117nd5.sys
2009-02-13 11:45 14,888 a------- c:\windows\system32\drivers\s117mdfl.sys
2009-02-13 11:45 12,200 a------- c:\windows\system32\drivers\s117cmnt.sys
2009-02-13 11:45 12,200 a------- c:\windows\system32\drivers\s117cm.sys
2009-02-13 11:45 82,984 a------- c:\windows\system32\drivers\s117bus.sys
2009-02-13 11:45 12,200 a------- c:\windows\system32\drivers\s117whnt.sys
2009-02-13 11:45 12,200 a------- c:\windows\system32\drivers\s117wh.sys
2009-02-11 15:24 362 ---shr-- C:\autorun.inf

==================== Find3M ====================

2009-02-01 18:21 81,920 -----r-- c:\windows\bwUnin-6.1.4.36-8876480L.exe
2009-01-09 19:04 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-18 19:09 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-06 20:34 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-04-02 21:02 4,096 a------- c:\documents and settings\hp_administrator\DesktopTrojan.Win32.BlackBird.exe
2008-04-02 21:02 4,096 a------- c:\documents and settings\hp_administrator\DesktopFWebdEditor.exe
2008-04-02 21:02 4,096 a------- c:\documents and settings\hp_administrator\Desktopfwebd.exe
2008-04-02 21:02 4,096 a------- c:\documents and settings\hp_administrator\Desktopfkwp2.0.exe
2008-04-02 21:02 4,096 a------- c:\documents and settings\hp_administrator\Desktopfkwp1.5.exe
2008-04-02 21:02 4,096 a------- c:\documents and settings\hp_administrator\Desktopfilemanagerclient.exe
2008-04-02 21:02 4,096 a------- c:\documents and settings\hp_administrator\DesktopEditorFKWP2.0.exe
2008-04-02 21:02 4,096 a------- c:\documents and settings\hp_administrator\DesktopEditorFKWP1.5.exe
2007-03-11 16:28 92,064 a------- c:\documents and settings\hp_administrator\mqdmmdm.sys
2007-03-11 16:28 79,328 a------- c:\documents and settings\hp_administrator\mqdmserd.sys
2007-03-11 16:28 66,656 a------- c:\documents and settings\hp_administrator\mqdmbus.sys
2007-03-11 16:28 25,600 a------- c:\documents and settings\hp_administrator\usbsermptxp.sys
2007-03-11 16:28 22,768 a------- c:\documents and settings\hp_administrator\usbsermpt.sys
2007-03-11 16:28 9,232 a------- c:\documents and settings\hp_administrator\mqdmmdfl.sys
2007-03-11 16:28 6,208 a------- c:\documents and settings\hp_administrator\mqdmcmnt.sys
2007-03-11 16:28 5,936 a------- c:\documents and settings\hp_administrator\mqdmwhnt.sys
2007-03-11 16:28 4,048 a------- c:\documents and settings\hp_administrator\mqdmcr.sys
2008-04-09 19:04 126,221 a--sh--- c:\windows\system32\yHNoWvut.ini2

============= FINISH: 11:52:32.20 ===============

I have attached the attach.zip

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[uhty]

Hi there

thanks for the help. I run combofix and the log is below. However, at the start, there was a message that it found some 'rootkit' or something like that and had to reboot. When it rebooted, I think norton 360 run, and Combofix operation may have been compromised. Anyway, here it is.

Cheers

ComboFix 09-03-14.01 - HP_Administrator 2009-03-15 2007.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT 11:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\HP_Administrator\Desktopblackbird.jpg
c:\documents and settings\HP_Administrator\DesktopEditorFKWP1.5.exe
c:\documents and settings\HP_Administrator\DesktopEditorFKWP2.0.exe
c:\documents and settings\HP_Administrator\Desktopfilemanagerclient.exe
c:\documents and settings\HP_Administrator\Desktopfkwp1.5.exe
c:\documents and settings\HP_Administrator\Desktopfkwp2.0.exe
c:\documents and settings\HP_Administrator\Desktopfwebd.exe
c:\documents and settings\HP_Administrator\DesktopFWebdEditor.exe
c:\documents and settings\HP_Administrator\DesktopTrojan.Win32.BlackBird.exe
c:\documents and settings\HP_Administrator\Desktopvirii
c:\documents and settings\HP_Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
c:\documents and settings\HP_Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
c:\documents and settings\HP_Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
c:\documents and settings\HP_Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
c:\documents and settings\HP_Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
c:\documents and settings\HP_Administrator\Start Menu\Programs\freshplay
c:\program files\PC-Cleaner
c:\recycler\S-4-2-51-100026345-100002495-100025657-2725.com
c:\recycler\S-5-2-56-100023211-100009061-100021809-9655.com
c:\windows\a.bat
c:\windows\base64.tmp
c:\windows\bdn.com
c:\windows\FVProtect.exe
c:\windows\IE4 Error Log.txt
c:\windows\iTunesMusic.exe
c:\windows\mssecu.exe
c:\windows\system32\aybvjtgd.ini
c:\windows\system32\drivers\gaopdxhdtaivda.sys
c:\windows\system32\drivers\gaopdxjiyyborj.sys
c:\windows\system32\drivers\gaopdxkvyqmuyn.sys
c:\windows\system32\drivers\gaopdxrpjyrewt.sys
c:\windows\system32\drivers\gaopdxxfaimovr.sys
c:\windows\system32\ebnsjjjd.ini
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxymxexwen.dll
c:\windows\system32\mcltgitq.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\uvaroowc.ini
c:\windows\system32\vferkaie.ini
c:\windows\system32\xsfwbmeu.ini
c:\windows\system32\yHNoWvut.ini
c:\windows\system32\yHNoWvut.ini2
c:\windows\system32akttzn.exe
c:\windows\system32anticipator.dll
c:\windows\system32awtoolb.dll
c:\windows\system32bdn.com
c:\windows\system32bsva-egihsg52.exe
c:\windows\system32dpcproxy.exe
c:\windows\system32emesx.dll
c:\windows\system32h@tkeysh@@k.dll
c:\windows\system32hoproxy.dll
c:\windows\system32hxiwlgpm.dat
c:\windows\system32hxiwlgpm.exe
c:\windows\system32medup012.dll
c:\windows\system32medup020.dll
c:\windows\system32msgp.exe
c:\windows\system32msnbho.dll
c:\windows\system32mssecu.exe
c:\windows\system32msvchost.exe
c:\windows\system32mtr2.exe
c:\windows\system32mwin32.exe
c:\windows\system32netode.exe
c:\windows\system32newsd32.exe
c:\windows\system32ps1.exe
c:\windows\system32psof1.exe
c:\windows\system32psoft1.exe
c:\windows\system32regc64.dll
c:\windows\system32regm64.dll
c:\windows\system32Rundl1.exe
c:\windows\system32smp
c:\windows\system32smp\msrc.exe
c:\windows\system32sncntr.exe
c:\windows\system32ssurf022.dll
c:\windows\system32ssvchost.com
c:\windows\system32ssvchost.exe
c:\windows\system32sysreq.exe
c:\windows\system32taack.dat
c:\windows\system32taack.exe
c:\windows\system32temp#01.exe
c:\windows\system32thun.dll
c:\windows\system32thun32.dll
c:\windows\system32VBIEWER.OCX
c:\windows\system32vbsys2.dll
c:\windows\system32vcatchpi.dll
c:\windows\system32winlogonpc.exe
c:\windows\system32winsystem.exe
c:\windows\system32WINWGPX.EXE
c:\windows\userconfig9x.dll
c:\windows\Web\def.htm
c:\windows\winsystem.exe
c:\windows\zip1.tmp
c:\windows\zip2.tmp
c:\windows\zip3.tmp
c:\windows\zipped.tmp
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-13 21:00 . 2009-01-19 08:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-13 19:55 . 2009-03-13 19:55 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-13 19:55 . 2009-01-19 08:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-13 00:10 . 2009-03-13 00:10 <DIR> d-------- c:\program files\BotSpy
2009-03-12 20:29 . 2009-03-12 23:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-12 20:29 . 2009-03-13 00:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-12 17:31 . 2009-03-12 17:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fighters
2009-03-12 16:05 . 2009-03-12 16:05 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2009-03-12 16:05 . 2009-03-12 16:05 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\TuneUp Software
2009-03-12 16:05 . 2009-03-12 16:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-03-12 16:05 . 2009-03-12 16:05 603,904 --a------ c:\windows\system32\TUProgSt.exe
2009-03-12 16:05 . 2009-03-12 16:05 360,192 --a------ c:\windows\system32\TuneUpDefragService.exe
2009-03-12 16:05 . 2008-12-11 13:31 27,904 --a------ c:\windows\system32\uxtuneup.dll
2009-03-12 16:04 . 2009-03-12 16:04 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-11 12:35 . 2009-03-11 12:35 <DIR> d-------- c:\program files\Citrix
2009-03-11 12:35 . 2009-03-11 12:35 60,744 --a------ c:\documents and settings\HP_Administrator\g2mdlhlpx.exe
2009-02-26 19:47 . 2009-03-13 19:55 <DIR> d-------- c:\program files\Lavasoft
2009-02-26 19:47 . 2009-03-13 19:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-19 14:21 . 2009-02-19 14:21 <DIR> d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-02-19 14:11 . 2009-02-19 14:11 <DIR> d--hs---- c:\documents and settings\HP_Administrator\IETldCache
2009-02-19 12:03 . 2009-02-19 12:03 579,464 --a------ c:\windows\system32\SymNeti.dll
2009-02-19 12:03 . 2009-02-19 12:03 207,240 --a------ c:\windows\system32\SymRedir.dll
2009-02-19 11:31 . 2009-02-19 11:31 184,496 --a------ c:\windows\system32\drivers\symtdi.sys
2009-02-19 11:31 . 2009-02-19 11:31 96,560 --a------ c:\windows\system32\drivers\symfw.sys
2009-02-19 11:31 . 2009-02-19 11:31 41,008 --a------ c:\windows\system32\drivers\symndisv.sys
2009-02-19 11:31 . 2009-02-19 11:31 38,576 --a------ c:\windows\system32\drivers\symids.sys
2009-02-19 11:31 . 2009-02-19 11:31 37,424 --a------ c:\windows\system32\drivers\symndis.sys
2009-02-19 11:31 . 2009-02-19 11:31 31,280 --a------ c:\windows\system32\drivers\SymIM.sys
2009-02-19 11:31 . 2009-02-19 11:31 22,320 --a------ c:\windows\system32\drivers\symredrv.sys
2009-02-19 11:31 . 2009-02-19 11:31 13,616 --a------ c:\windows\system32\drivers\symdns.sys
2009-02-19 11:31 . 2009-02-19 11:31 9,844 --a------ c:\windows\system32\drivers\SymRedir.cat
2009-02-19 11:31 . 2009-02-19 11:31 1,611 --a------ c:\windows\system32\drivers\SymRedir.inf
2009-02-18 20:57 . 2008-04-14 11:11 81,920 --a------ c:\windows\system32\ieencode.dll
2009-02-18 20:57 . 2008-04-14 11:11 81,920 --a------ c:\windows\system32\dllcache\ieencode.dll
2009-02-18 20:55 . 2009-02-18 20:43 13,288,856 --a------ C:\mpas-fe.exe
2009-02-18 19:10 . 2009-02-18 19:10 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-18 17:47 . 2009-02-18 21:17 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 16:21 . 2009-02-16 16:22 <DIR> d-------- c:\program files\QuickTime
2009-02-16 16:21 . 2009-02-16 16:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-16 14:32 . 2009-02-16 14:35 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-16 13:46 . 2009-02-18 21:16 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 2
2009-02-16 13:17 . 2009-02-16 13:17 <DIR> d-------- C:\N360_BACKUP
2009-02-15 12:11 . 2009-02-15 12:11 <DIR> d-------- c:\windows\Simple Port Forwarding
2009-02-15 00:36 . 2008-04-14 10:12 116,224 --a------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-02-15 00:36 . 2001-08-17 22:37 27,648 --a------ c:\windows\system32\dllcache\xrxftplt.exe
2009-02-15 00:36 . 2001-08-17 22:36 23,040 --a------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-02-15 00:36 . 2008-04-14 10:12 18,944 --a------ c:\windows\system32\dllcache\xrxscnui.dll
2009-02-15 00:35 . 2001-08-17 13:28 771,581 --a------ c:\windows\system32\dllcache\winacisa.sys
2009-02-15 00:35 . 2004-08-03 22:31 154,624 --a------ c:\windows\system32\dllcache\wlluc48.sys
2009-02-15 00:35 . 2001-08-17 22:37 99,865 --a------ c:\windows\system32\dllcache\xlog.exe
2009-02-15 00:35 . 2001-08-17 12:12 34,890 --a------ c:\windows\system32\dllcache\wlandrv2.sys
2009-02-15 00:35 . 2004-08-03 22:29 19,455 --a------ c:\windows\system32\dllcache\wvchntxx.sys
2009-02-15 00:35 . 2001-08-17 12:11 16,970 --a------ c:\windows\system32\dllcache\xem336n5.sys
2009-02-15 00:35 . 2004-08-03 22:29 12,063 --a------ c:\windows\system32\dllcache\wsiintxx.sys
2009-02-15 00:35 . 2008-04-14 04:36 8,832 --a------ c:\windows\system32\dllcache\wmiacpi.sys
2009-02-15 00:35 . 2008-04-14 10:12 8,192 --a------ c:\windows\system32\dllcache\wshirda.dll
2009-02-15 00:35 . 2001-08-17 22:37 4,608 --a------ c:\windows\system32\dllcache\xrxflnch.exe
2009-02-15 00:33 . 2001-08-17 13:28 794,654 --a------ c:\windows\system32\dllcache\usr1801.sys
2009-02-15 00:32 . 2001-08-17 22:36 525,568 --a------ c:\windows\system32\dllcache\tridxp.dll
2009-02-15 00:31 . 2001-08-17 12:18 285,760 --a------ c:\windows\system32\dllcache\stlnata.sys
2009-02-15 00:30 . 2001-08-17 14:56 147,200 --a------ c:\windows\system32\dllcache\smidispb.dll
2009-02-15 00:29 . 2001-08-17 22:36 386,560 --a------ c:\windows\system32\dllcache\sgiul50.dll
2009-02-15 00:28 . 2001-08-17 22:36 495,616 --a------ c:\windows\system32\dllcache\sblfx.dll
2009-02-15 00:27 . 2001-08-17 13:28 899,146 --a------ c:\windows\system32\dllcache\r2mdkxga.sys
2009-02-15 00:26 . 2001-08-17 14:05 351,616 --a------ c:\windows\system32\dllcache\ovcodek2.sys
2009-02-15 00:25 . 2001-08-17 12:50 198,144 --a------ c:\windows\system32\dllcache\nv3.sys
2009-02-15 00:24 . 2001-08-17 12:11 128,000 --a------ c:\windows\system32\dllcache\n100325.sys
2009-02-15 00:23 . 2001-08-17 13:28 802,683 --a------ c:\windows\system32\dllcache\ltsm.sys
2009-02-15 00:22 . 2008-04-14 10:11 702,845 --a------ c:\windows\system32\dllcache\i81xdnt5.dll
2009-02-15 00:21 . 2001-08-17 13:28 542,879 --a------ c:\windows\system32\dllcache\hsf_msft.sys
2009-02-15 00:20 . 2001-08-17 14:56 1,733,120 --a------ c:\windows\system32\dllcache\g400d.dll
2009-02-15 00:19 . 2001-08-17 13:28 634,134 --a------ c:\windows\system32\dllcache\el656ct5.sys
2009-02-15 00:18 . 2001-08-17 12:14 952,007 --a------ c:\windows\system32\dllcache\diwan.sys
2009-02-15 00:17 . 2001-08-17 12:13 980,034 --a------ c:\windows\system32\dllcache\cicap.sys
2009-02-15 00:16 . 2001-08-17 13:28 762,780 --a------ c:\windows\system32\dllcache\3cwmcru.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 09:05 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-08 10:32 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Skype
2009-03-08 09:54 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\skypePM
2009-02-26 12:33 --------- d-----w c:\program files\MSN Messenger
2009-02-17 23:06 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-02-16 05:21 --------- d-----w c:\program files\Apple Software Update
2009-02-16 02:04 --------- d-----w c:\program files\TomTom HOME
2009-02-15 22:57 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-02-14 12:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-14 12:19 --------- d-----w c:\program files\Sony Ericsson
2009-02-14 12:16 --------- d-----w c:\program files\Google
2009-02-11 13:20 --------- d-----w c:\documents and settings\Administrator\Application Data\HPQ
2009-02-07 07:59 --------- d-----w c:\documents and settings\All Users\Application Data\TomTom
2009-02-07 07:57 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-02-04 09:13 --------- d-----w c:\documents and settings\All Users\Application Data\DriverCure
2009-02-04 09:11 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\DriverCure
2009-02-04 09:09 --------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-02-01 07:22 --------- d-----w c:\program files\Logitech
2009-02-01 07:22 --------- d-----w c:\program files\Common Files\Logitech
2009-02-01 07:21 81,920 ------r c:\windows\bwUnin-6.1.4.36-8876480L.exe
2009-02-01 07:11 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2009-01-09 08:04 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-12-18 08:09 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-04-06 09:34 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-03-11 05:28 92,064 ----a-w c:\documents and settings\HP_Administrator\mqdmmdm.sys
2007-03-11 05:28 9,232 ----a-w c:\documents and settings\HP_Administrator\mqdmmdfl.sys
2007-03-11 05:28 79,328 ----a-w c:\documents and settings\HP_Administrator\mqdmserd.sys
2007-03-11 05:28 66,656 ----a-w c:\documents and settings\HP_Administrator\mqdmbus.sys
2007-03-11 05:28 6,208 ----a-w c:\documents and settings\HP_Administrator\mqdmcmnt.sys
2007-03-11 05:28 5,936 ----a-w c:\documents and settings\HP_Administrator\mqdmwhnt.sys
2007-03-11 05:28 4,048 ----a-w c:\documents and settings\HP_Administrator\mqdmcr.sys
2007-03-11 05:28 25,600 ----a-w c:\documents and settings\HP_Administrator\usbsermptxp.sys
2007-03-11 05:28 22,768 ----a-w c:\documents and settings\HP_Administrator\usbsermpt.sys
2008-06-30 03:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\BotSpy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-27 988512]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"TomTomHOME.exe"="c:\program files\TomTom HOME\TomTomHOME.exe" [2007-03-14 3770024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-19 506712]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2009-02-01 169472]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-08-14 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-13 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-19 921936]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-19 149352]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-10 14336]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-03-12 603904]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-08-14 2829696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-08-14 468768]
S2 gupdate1c985eab8f3c156;Google Update Service (gupdate1c985eab8f3c156);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-13 23888]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys --> c:\windows\system32\Drivers\FarDrive.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-01-02 13352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-15 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]

2009-03-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-19 08:34]

2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 21:32]
.
- - - - ORPHANS REMOVED - - - -

Notify-urebgncr - urebgncr.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=64&bd=PAVILION&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZU
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\3k2lf3p9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\3k2lf3p9.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 20:09:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-15 20:10:41
ComboFix-quarantined-files.txt 2009-03-15 09:10:39

Pre-Run: 174,580,371,456 bytes free
Post-Run: 174,565,109,760 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=,1,2,3,4
363 --- E O F --- 2009-01-14 22:51:28

[tetonbob]

Looks like everything worked fine.

I have a question...did you customize the install directory of Spybot Search & Destroy?

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 11 alone, as it has the most recent security updates.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?

[uhty]

Hi there, first up, thanks again for your assist.

I did customise the Spybot directory in an attempt to make it run properly, but that did not work. I was able to download and install it. However, it can't download the definitions or includes. And when trying to run it, it just minimises and I couldn't get it to scan.

I did the uninstalls as you suggested.

The machine is working as well as before it got infected. Sites are no longer getting redirected. I am able to create restore points again. It looks like its free of infections.

here is the scan report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 16, 2009 00:15:07
Records in database: 1910689
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 103942
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:37:13


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: Hoax.HTML.Secureinvites.c 1

The selected area was scanned.

Looks like the threat is in quarantine, as you suggested. Thank you.

[tetonbob]

It may be that in customizing the directory of the Spybot install, it's become confused, if you did it after the fact rather than during the install. It may need to be uninstalled and reinstalled, or the dir renamed to what it originally was, for Spybot to function properly.

[uhty]

I uninstalled and reinstalled Spybot and its working now. Thanks. FYI that I had to rename the dir after several installs that failed. But the rename did not fix the prob.

Shall I delete Combofix? I don't think I can use it without someone like you looking at a problem prior to running it?

Thanks

[tetonbob]

Glad to hear it's working again. The failed installs were likely due to rootkit interference.

ComboFix is not a general purpose tool, and correct, it should not be used in an unsupervised environment.

The other items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[uhty]

Hi, thanks for this. I followed some of your recommendations and will read up on the others so I can make a better choice. Thanks very much for all your assist.

Cheers

[tetonbob]

Hi, you're welcome for the help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.