Google search redirected..sometimes

[maritime.mark]

I have a machine running Windows XP Pro with service pack 3 and IE8 installed. When I type in a search term, either into the search box on top of the IE window or at Google.com, I get to the results screen with what looks to be good links. The websites titles are in the links along with a partial description. However, when I click on a result link, it will sometimes take me to the site as shown, but sometimes it will go to another site that has nothing to do with my search. It is not always the same site either. I think there is some kind of redirect virus, but everything I have used finds nothing. Well, actually the first few scan did find stuff, adware, cookies, but after they were cleared out, the behavior remains the same. The scans I used were malwarebytes, superantispyware, comodo internet security free version, avg 8.5 free, Malicious software removal tool june version, windows defender, Spybot S & D, Trojan remover, smitfraudfix, pandascan, kaspersky online scan. Oh and sometimes when I try to connect for the first time to pandascan, or kaspersky website oir another security related website, I will get a small window that will pop up stating that a malicious addon is trying to access a suspicious website and IE is stopping this from happening. Except I do not think that it is actually IE doing it. Attached are the logs as requested.

Thanks for the help

Mark

DDS.txt

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 21:49:22.75 on Thu 07/02/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.136 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Owner\Desktop\dds.pif

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {7C2FC77A-AF76-4A75-AC16-B02A13829F34} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238897964810
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {ADD4AAEA-CBAB-4B18-A7E3-AD7EC8FC3E91} = 208.67.222.222,208.67.220.220
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lbhhoxfz.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-6-10 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-6-10 24096]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-6-10 692496]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 PciPPorts;PCI ECP Parallel Port;c:\windows\system32\drivers\PciPPorts.sys [2009-4-7 82432]
S4 KLC;KLC;c:\docume~1\owner\locals~1\temp\klc.exe --> c:\docume~1\owner\locals~1\temp\KLC.exe [?]

=============== Created Last 30 ================

2009-07-01 22:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-01 22:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-24 20:35 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-06-24 20:33 <DIR> --d----- c:\windows\ERUNT
2009-06-24 20:30 <DIR> --d----- C:\SDFix
2009-06-22 22:09 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 21:20 <DIR> --d----- C:\b2399a19aa5feced0725f3
2009-06-18 21:46 <DIR> --d----- c:\program files\Trojan Remover
2009-06-18 21:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-06-18 21:10 2,376 a------- c:\windows\system32\tmp.reg
2009-06-16 21:56 <DIR> --d----- c:\docume~1\owner\applic~1\.clamwin
2009-06-16 06:53 <DIR> --d----- c:\documents and settings\owner\.housecall6.6
2009-06-15 21:32 <DIR> --d----- c:\program files\Panda Security
2009-06-12 22:05 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-12 06:49 <DIR> --d----- c:\program files\Auslogics
2009-06-11 21:49 <DIR> --d----- c:\docume~1\owner\applic~1\Digital Support
2009-06-10 20:06 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
2009-06-10 20:01 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 20:01 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-10 07:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-06-10 07:15 168,208 a------- c:\windows\system32\guard32.dll
2009-06-10 07:15 132,640 a------- c:\windows\system32\drivers\cmdguard.sys
2009-06-10 07:15 24,096 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-06-10 07:15 <DIR> --d----- c:\program files\COMODO
2009-06-09 22:33 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-07 20:54 <DIR> a-dshr-- C:\cmdcons
2009-06-07 20:51 161,792 a------- c:\windows\SWREG.exe
2009-06-07 20:51 155,136 a------- c:\windows\PEV.exe
2009-06-07 20:51 98,816 a------- c:\windows\sed.exe
2009-06-04 17:52 <DIR> --d----- c:\program files\Trend Micro
2009-06-03 22:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-03 22:32 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-03 22:03 <DIR> --d----- c:\windows\ie8updates
2009-06-03 22:02 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-11 15:30 118,642 a------- c:\windows\hpoins09.dat
2009-04-04 06:15 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 21:50:22.53 ===============

[maritime.mark]

Bump, please

[Ried]

Hello Mark,

Post the contents of the C:\ComboFix.txt

For future consideration, please heed the ComboFix Disclaimer as well as our note in the pre posting topic...

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

[maritime.mark]

ComboFix 09-06-07.05 - Owner 06/07/2009 20:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.153 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\documents and settings\QBDataServiceUser\Application Data\twain_32
c:\documents and settings\QBDataServiceUser\Application Data\twain_32\user.ds
c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-04 22:52 . 2009-06-04 22:52 -------- d-----w- c:\program files\Trend Micro
2009-06-04 03:33 . 2009-06-04 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-04 03:32 . 2009-06-04 04:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-04 03:32 . 2009-06-04 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-06-04 03:32 . 2009-06-04 03:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-04 03:11 . 2009-06-04 03:11 107912 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-04 03:11 . 2009-06-04 03:11 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-04 03:11 . 2009-06-04 03:11 325640 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-04 03:11 . 2009-06-04 03:11 27656 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-04 03:11 . 2009-06-04 03:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-04 03:10 . 2009-06-04 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-04 03:03 . 2009-06-04 03:03 -------- d-----w- c:\windows\ie8updates
2009-06-04 03:02 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-02 05:08 . 2009-06-02 05:08 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-06-02 05:07 . 2009-06-02 05:07 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-06-01 18:09 . 2009-06-01 18:09 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-06-01 17:58 . 2009-06-01 17:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-01 17:58 . 2009-06-01 17:58 -------- d-----w- c:\program files\MSBuild
2009-06-01 17:57 . 2009-06-01 17:57 -------- d-----w- c:\program files\Reference Assemblies
2009-06-01 17:56 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-01 17:56 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-01 17:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-01 17:56 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-01 17:56 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-01 17:56 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-01 17:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-01 17:56 . 2009-06-01 17:57 -------- d-----w- C:\96002651679834c928efdc7e59d742
2009-06-01 16:55 . 2009-06-01 16:57 -------- dc-h--w- c:\windows\ie8
2009-05-25 03:37 . 2009-05-25 03:37 -------- d-----w- c:\program files\Digital Support
2009-05-23 03:47 . 2009-05-23 03:47 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-23 03:44 . 2009-05-23 03:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-23 03:44 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 03:44 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 03:44 . 2009-06-04 03:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-23 03:44 . 2009-05-23 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-22 15:28 . 2008-04-14 00:12 82432 -c--a-w- c:\windows\system32\dllcache\ws2_32.dll
2009-05-19 23:05 . 2009-05-19 23:04 861448 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-05-19 23:05 . 2009-05-19 23:04 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-05-19 23:05 . 2009-05-19 23:04 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2009-05-19 23:05 . 2009-05-19 23:04 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-05-19 23:01 . 2009-05-19 23:01 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2009-05-19 23:01 . 2009-05-19 23:01 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcp71.dll
2009-05-19 23:01 . 2009-05-19 23:01 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcr71.dll
2009-05-18 14:02 . 2009-06-03 17:15 3363 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-05-18 13:47 . 2009-05-18 13:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Intuit
2009-05-18 13:42 . 2009-05-18 13:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2009-05-18 13:39 . 2009-05-18 13:39 -------- d-----w- c:\program files\Common Files\supportsoft
2009-05-18 13:38 . 2007-06-28 19:09 1843200 ----a-w- c:\windows\system32\acXMLParser.dll
2009-05-18 13:38 . 2009-01-20 22:33 3833856 ----a-w- c:\windows\system32\cdintf300.dll
2009-05-18 13:20 . 2009-05-18 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-05-18 13:20 . 2009-05-18 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 18:12 . 2006-05-12 14:35 113352 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 02:19 . 2005-09-16 15:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-25 02:14 . 2005-09-16 15:11 -------- d-----w- c:\documents and settings\Owner\Application Data\Lavasoft
2009-05-25 02:14 . 2005-09-16 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-18 13:42 . 2006-05-04 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-05-18 13:31 . 2006-05-04 19:34 -------- d-----w- c:\program files\Common Files\Intuit
2009-04-19 14:36 . 2009-04-19 14:28 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-19 14:36 . 2009-04-19 14:28 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-19 14:28 . 2009-04-19 14:28 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-19 14:28 . 2009-04-19 14:28 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-12 22:55 . 2009-04-11 19:18 -------- d-----w- c:\program files\HP
2009-04-12 22:55 . 2009-04-12 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-11 20:47 . 2009-04-11 20:47 -------- d-----w- c:\documents and settings\Owner\Application Data\HP
2009-04-11 20:44 . 2009-04-11 20:44 113352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 20:30 . 2009-04-11 19:06 118642 ----a-w- c:\windows\hpoins09.dat
2009-04-11 20:26 . 2009-04-11 20:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\HP
2009-04-11 20:20 . 2009-04-11 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-04-11 20:16 . 2009-04-11 20:04 -------- d-----w- c:\program files\Common Files\HP
2009-04-11 19:42 . 2009-04-11 19:36 -------- d-----w- c:\program files\Hewlett-Packard
2009-04-11 19:26 . 2009-04-11 19:26 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-04-04 11:15 . 2005-09-16 13:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
.

------- Sigcheck -------

[7] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 9F4A1642F792DE1035E9FCF698D439F3 c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 9F4A1642F792DE1035E9FCF698D439F3 c:\windows\system32\ws2_32.dll
[-] 2008-04-14 00:12 82432 9F4A1642F792DE1035E9FCF698D439F3 c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-04 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-04 1932568]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-09-16 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-06-04 04:34 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-04 03:11 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/3/2009 10:11 PM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/3/2009 10:11 PM 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/3/2009 10:10 PM 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 PciPPorts;PCI ECP Parallel Port;c:\windows\system32\drivers\PciPPorts.sys [4/7/2009 8:44 PM 82432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{10559F02-1EAB-40B5-BE0A-3C91E4703269}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.spaceweather.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 21:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-06-08 21:02
ComboFix-quarantined-files.txt 2009-06-08 02:02

Pre-Run: 53,401,358,336 bytes free
Post-Run: 53,511,413,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

209 --- E O F --- 2009-06-04 23:24

[Ried]

Thanks. :)

Please go to Virus Total

• Copy paste the following full path into the empty box under 'Upload a file'
  
  

  c:\windows\system32\ws2_32.dll

• Click 'Send File'
  
• If you see a message that the file has been scanned before, click 'Reanalyze Now'
  
  

Copy/paste the results into Notepad and save it to your desktop. Please post the results in your next reply.

[maritime.mark]

File ws2_32.dll received on 2009.07.07 13:02:18 (UTC)
Current status: finished
Result: 8/41 (19.51%)
Compact Compact

Print results Print results

Antivirus Version Last Update Result

a-squared 4.5.0.18 2009.07.07 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.07.07 -
AntiVir 7.9.0.204 2009.07.07 -
Antiy-AVL 2.0.3.1 2009.07.07 -
Authentium 5.1.2.4 2009.07.07 -
Avast 4.8.1335.0 2009.07.06 -
AVG 8.5.0.386 2009.07.07 Win32/Patched
BitDefender 7.2 2009.07.07 Trojan.Patched.EM
CAT-QuickHeal 10.00 2009.07.07 -
ClamAV 0.94.1 2009.07.07 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.07 -
eSafe 7.0.17.0 2009.07.06 -
eTrust-Vet 31.6.6601 2009.07.07 -
F-Prot 4.4.4.56 2009.07.06 -
F-Secure 8.0.14470.0 2009.07.07 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.07 Trojan.Patched.EM
Ikarus T3.1.1.64.0 2009.07.07 Trojan.Win32.Patched
Jiangmin 11.0.706 2009.07.07 -
K7AntiVirus 7.10.785 2009.07.06 -
Kaspersky 7.0.0.125 2009.07.07 -
McAfee 5668 2009.07.06 -
McAfee+Artemis 5668 2009.07.06 -
McAfee-GW-Edition 6.8.5 2009.07.07 Heuristic.LooksLike.Trojan.Patched.H
Microsoft 1.4803 2009.07.07 Trojan:Win32/Patched.L
NOD32 4222 2009.07.07 -
Norman 6.01.09 2009.07.07 -
nProtect 2009.1.8.0 2009.07.07 -
Panda 10.0.0.14 2009.07.06 -
PCTools 4.4.2.0 2009.07.07 -
Prevx 3.0 2009.07.07 -
Rising 21.37.14.00 2009.07.07 -
Sophos 4.43.0 2009.07.07 Mal/WSHack-A
Sunbelt 3.2.1858.2 2009.07.07 -
Symantec 1.4.4.12 2009.07.07 -
TheHacker 6.3.4.3.364 2009.07.06 -
TrendMicro 8.950.0.1094 2009.07.07 -
VBA32 3.12.10.7 2009.07.07 -
ViRobot 2009.7.7.1822 2009.07.07 -
VirusBuster 4.6.5.0 2009.07.06 -

Additional information
File size: 82432 bytes
MD5 : 9f4a1642f792de1035e9fcf698d439f3
SHA1 : 46342942cafad52d157e533e0e3629cf25ba1f94
SHA256: dc0bf1805aafbcb99bf5583d6eb8902426a8d87cd215226e993b95f49d47ad76
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x141A1
timedatestamp.....: 0x4802A164 (Mon Apr 14 02:12:20 2008)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12153 0x12200 6.48 614dcfc35742ce1988d5ab7c8164961a
.data 0x14000 0x914 0xA00 5.91 855e5a6b0bd2fa86408cabe4befc1e92
.rsrc 0x15000 0x3F8 0x400 3.43 5ff68b649c14d167754073f671ef1ef1
.reloc 0x16000 0xDC8 0xE00 6.45 c841caa0b58d513a706567eff650ba0f

( 5 imports )

> advapi32.dll: RegNotifyChangeKeyValue, RegDeleteKeyA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegEnumKeyExA
> kernel32.dll: GetTickCount, QueryPerformanceCounter, lstrcmpA, HeapReAlloc, HeapFree, HeapAlloc, InterlockedCompareExchange, IsBadWritePtr, GetEnvironmentVariableA, GetComputerNameA, GetVersionExA, GetSystemDirectoryA, GetWindowsDirectoryA, WaitForMultipleObjectsEx, ResetEvent, IsBadReadPtr, TlsSetValue, GetHandleInformation, ExpandEnvironmentStringsA, InterlockedExchange, GetCurrentThreadId, TlsAlloc, GetSystemInfo, HeapCreate, GetProcessHeap, HeapDestroy, TlsFree, lstrlenA, lstrcpyA, IsBadCodePtr, GetProcAddress, CreateEventA, GetModuleFileNameA, LoadLibraryA, CreateThread, FreeLibrary, WaitForSingleObject, CloseHandle, FreeLibraryAndExitThread, EnterCriticalSection, SetEvent, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SwitchToThread, SetLastError, DelayLoadFailureHook, TlsGetValue, InterlockedDecrement, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, InterlockedIncrement, LeaveCriticalSection
> msvcrt.dll: __isascii, isspace, _except_handler3, sprintf, _adjust_fdiv, malloc, _initterm, free, _stricmp, fclose, fgets, atoi, strchr, fopen, wcscpy, strtoul, wcscmp, wcslen, wcschr
> ntdll.dll: RtlIpv4StringToAddressW, RtlIpv6StringToAddressExW, RtlIpv4StringToAddressA
> ws2help.dll: WahCompleteRequest, WahQueueUserApc, WahEnableNonIFSHandleSupport, WahDisableNonIFSHandleSupport, WahCreateSocketHandle, WahNotifyAllProcesses, WahCreateNotificationHandle, WahWaitForNotification, WahOpenCurrentThread, WahCloseThread, WahInsertHandleContext, WahRemoveHandleContext, WahDestroyHandleContextTable, WahCreateHandleContextTable, WahEnumerateHandleContexts, WahCloseApcHelper, WahCloseHandleHelper, WahCloseNotificationHandleHelper, WahOpenNotificationHandleHelper, WahOpenHandleHelper, WahOpenApcHelper, WahCloseSocketHandle, WahReferenceContextByHandle

( 1 exports )

> FreeAddrInfoW, GetAddrInfoW, GetNameInfoW, WEP, WPUCompleteOverlappedRequest, WSAAccept, WSAAddressToStringA, WSAAddressToStringW, WSAAsyncGetHostByAddr, WSAAsyncGetHostByName, WSAAsyncGetProtoByName, WSAAsyncGetProtoByNumber, WSAAsyncGetServByName, WSAAsyncGetServByPort, WSAAsyncSelect, WSACancelAsyncRequest, WSACancelBlockingCall, WSACleanup, WSACloseEvent, WSAConnect, WSACreateEvent, WSADuplicateSocketA, WSADuplicateSocketW, WSAEnumNameSpaceProvidersA, WSAEnumNameSpaceProvidersW, WSAEnumNetworkEvents, WSAEnumProtocolsA, WSAEnumProtocolsW, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAGetQOSByName, WSAGetServiceClassInfoA, WSAGetServiceClassInfoW, WSAGetServiceClassNameByClassIdA, WSAGetServiceClassNameByClassIdW, WSAHtonl, WSAHtons, WSAInstallServiceClassA, WSAInstallServiceClassW, WSAIoctl, WSAIsBlocking, WSAJoinLeaf, WSALookupServiceBeginA, WSALookupServiceBeginW, WSALookupServiceEnd, WSALookupServiceNextA, WSALookupServiceNextW, WSANSPIoctl, WSANtohl, WSANtohs, WSAProviderConfigChange, WSARecv, WSARecvDisconnect, WSARecvFrom, WSARemoveServiceClass, WSAResetEvent, WSASend, WSASendDisconnect, WSASendTo, WSASetBlockingHook, WSASetEvent, WSASetLastError, WSASetServiceA, WSASetServiceW, WSASocketA, WSASocketW, WSAStartup, WSAStringToAddressA, WSAStringToAddressW, WSAUnhookBlockingHook, WSAWaitForMultipleEvents, WSApSetPostRoutine, WSCDeinstallProvider, WSCEnableNSProvider, WSCEnumProtocols, WSCGetProviderPath, WSCInstallNameSpace, WSCInstallProvider, WSCUnInstallNameSpace, WSCUpdateProvider, WSCWriteNameSpaceOrder, WSCWriteProviderOrder, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getprotobyname, getprotobynumber, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket
TrID : File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
ssdeep: 1536:aRqRCJAJcBuyg2A1htxvSrqtkBx5sALnR4lxCyqgY5:aR05JKBA1hrvSrMkBx5swR41j
PEiD : -
RDS : NSRL Reference Data Set
-

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

[Ried]

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/391334-google-search-redirected-sometimes.html

Suspect::
c:\windows\system32\ws2_32.dll

FCopy::
c:\windows\$NtServicePackUninstall$\ws2_32.dll | c:\windows\system32\ws2_32.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

[maritime.mark]

ComboFix 09-07-09.06 - Owner 07/09/2009 22:16.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.91 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

file zipped: c:\windows\system32\Suspect_ws2_32.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\16fd63f0.msp
c:\windows\Installer\40891.msp
c:\windows\Installer\5ab51.msp
c:\windows\Installer\WinRMSrv.msi
c:\windows\system32\tmp.reg

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\ws2_32.dll --> c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-10 02:56 . 2009-07-10 02:56 -------- d--h--w- c:\windows\PIF
2009-07-10 02:51 . 2009-07-10 02:54 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-07-08 05:14 . 2009-07-10 02:51 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-07-08 05:13 . 2009-07-08 05:14 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-07-02 03:04 . 2009-07-02 03:04 -------- d-----w- c:\windows\Sun
2009-07-02 03:03 . 2009-07-02 03:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-02 03:02 . 2009-07-02 03:02 -------- d-----w- c:\program files\Java
2009-07-02 03:01 . 2009-07-02 03:01 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-25 01:35 . 2009-06-25 01:35 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-06-25 01:33 . 2009-06-25 01:34 -------- d-----w- c:\windows\ERUNT
2009-06-25 01:30 . 2008-11-06 07:03 -------- d-----w- C:\SDFix
2009-06-23 11:24 . 2009-06-23 11:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-23 03:30 . 2009-06-26 02:13 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-23 03:09 . 2009-06-26 02:14 -------- d-----w- c:\program files\Lavasoft
2009-06-23 03:09 . 2009-06-26 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-23 02:38 . 2009-06-23 02:38 -------- d-----w- c:\documents and settings\Account2\Local Settings\Application Data\Mozilla
2009-06-23 02:37 . 2009-06-23 02:37 -------- d-----w- c:\documents and settings\Account2\Application Data\HP
2009-06-23 02:20 . 2009-06-23 02:21 -------- d-----w- C:\b2399a19aa5feced0725f3
2009-06-19 02:55 . 2009-06-19 03:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-19 02:46 . 2009-06-26 02:15 -------- d-----w- c:\program files\Trojan Remover
2009-06-19 02:46 . 2009-06-19 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-06-19 02:37 . 2009-06-19 02:37 0 ----a-w- c:\windows\nsreg.dat
2009-06-19 02:37 . 2009-06-19 02:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2009-06-17 02:56 . 2009-06-17 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
2009-06-16 11:53 . 2009-06-16 11:53 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-06-16 02:32 . 2009-06-26 02:56 -------- d-----w- c:\program files\Panda Security
2009-06-13 03:06 . 2009-06-13 03:06 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-13 03:05 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-12 11:49 . 2009-06-12 11:49 -------- d-----w- c:\program files\Auslogics
2009-06-12 03:09 . 2009-06-12 03:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Intuit
2009-06-12 02:49 . 2009-06-12 11:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Digital Support
2009-06-12 02:08 . 2009-06-12 02:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-11 01:06 . 2009-07-10 02:57 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-06-11 01:01 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 01:01 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 12:16 . 2009-06-11 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-06-10 12:15 . 2009-06-10 12:15 168208 ----a-w- c:\windows\system32\guard32.dll
2009-06-10 12:15 . 2009-06-10 12:15 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-06-10 12:15 . 2009-06-10 12:15 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-06-10 12:15 . 2009-06-10 12:15 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-06-10 12:15 . 2009-06-10 12:15 -------- d-----w- c:\program files\COMODO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 14:38 . 2009-05-18 14:02 3494 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-06-26 02:55 . 2005-09-16 15:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-25 02:03 . 2009-05-23 03:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 02:01 . 2009-05-23 03:47 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-24 13:43 . 2005-09-16 15:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-24 03:47 . 2005-09-16 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-17 16:27 . 2009-05-23 03:44 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-05-23 03:44 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-10 03:33 . 2009-06-04 03:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-04 22:52 . 2009-06-04 22:52 -------- d-----w- c:\program files\Trend Micro
2009-06-04 03:33 . 2009-06-04 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-01 18:12 . 2006-05-12 14:35 113352 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-01 17:58 . 2009-06-01 17:58 -------- d-----w- c:\program files\MSBuild
2009-06-01 17:57 . 2009-06-01 17:57 -------- d-----w- c:\program files\Reference Assemblies
2009-05-25 02:14 . 2005-09-16 15:11 -------- d-----w- c:\documents and settings\Owner\Application Data\Lavasoft
2009-05-23 03:44 . 2009-05-23 03:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-23 03:44 . 2009-05-23 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 23:04 . 2009-05-19 23:05 861448 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-05-19 23:04 . 2009-05-19 23:05 38664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-05-19 23:04 . 2009-05-19 23:05 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2009-05-19 23:04 . 2009-05-19 23:05 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2009-05-19 23:01 . 2009-05-19 23:01 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2009-05-19 23:01 . 2009-05-19 23:01 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcp71.dll
2009-05-19 23:01 . 2009-05-19 23:01 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcr71.dll
2009-05-18 13:42 . 2009-05-18 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 10
2009-05-18 13:42 . 2006-05-04 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-05-18 13:39 . 2009-05-18 13:39 -------- d-----w- c:\program files\Common Files\supportsoft
2009-05-18 13:31 . 2006-05-04 19:34 -------- d-----w- c:\program files\Common Files\Intuit
2009-05-18 13:20 . 2009-05-18 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-11 20:30 . 2009-04-11 19:06 118642 ----a-w- c:\windows\hpoins09.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-08_02.00.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
- 2004-08-04 12:00 . 2009-03-08 09:33 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2009-04-30 21:22 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2009-04-30 21:22 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00 . 2009-03-08 09:33 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2005-09-16 13:43 . 2009-06-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-09-16 13:43 . 2009-05-25 02:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-09-16 13:43 . 2009-05-25 02:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-16 13:43 . 2009-06-23 11:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-06-23 11:24 . 2009-06-23 11:23 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-09-16 13:43 . 2009-06-23 11:23 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-09-16 13:43 . 2009-05-25 02:31 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-30 02:07 . 2008-07-30 02:07 23040 c:\windows\Installer\3809a84.msp
+ 2009-06-01 17:54 . 2009-06-01 17:54 88576 c:\windows\Installer\379c568.msi
+ 2005-09-16 15:39 . 2005-09-16 15:39 20480 c:\windows\Installer\22bdc.msi
+ 2009-06-12 01:55 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB969897-IE8\xpshims.dll
+ 2009-06-12 01:55 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB969897-IE8\jsproxy.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-07-02 03:03 . 2009-07-02 03:03 148888 c:\windows\system32\javaws.exe
+ 2009-07-02 03:03 . 2009-07-02 03:03 144792 c:\windows\system32\javaw.exe
+ 2009-07-02 03:03 . 2009-07-02 03:03 144792 c:\windows\system32\java.exe
+ 2004-08-04 12:00 . 2009-04-30 21:22 385536 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2009-03-08 09:32 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 12:00 . 2009-04-30 11:21 173056 c:\windows\system32\ie4uinit.exe
+ 2005-09-15 20:49 . 2009-06-12 02:00 379240 c:\windows\system32\FNTCACHE.DAT
- 2005-09-15 20:49 . 2009-06-01 18:09 379240 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-04 12:00 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\wininet.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2004-08-04 12:00 . 2009-04-30 21:22 385536 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-04 12:00 . 2009-03-08 09:32 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-04 12:00 . 2009-04-30 11:21 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-04-04 03:45 . 2004-08-04 12:00 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2009-04-04 03:45 . 2004-08-04 12:00 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2009-06-01 17:59 . 2009-06-01 17:59 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2005-09-16 15:52 . 2005-09-16 15:52 916480 c:\windows\Installer\e5851.msi
+ 2009-04-04 01:37 . 2009-04-04 01:37 337408 c:\windows\Installer\8d9a5.msi
+ 2009-05-18 13:39 . 2009-05-18 13:39 316928 c:\windows\Installer\67e41d.msi
+ 2009-05-18 13:19 . 2009-05-18 13:19 390656 c:\windows\Installer\67dbe9.msi
+ 2009-04-12 22:55 . 2009-04-12 22:55 348672 c:\windows\Installer\59c84a0.msi
+ 2007-08-16 08:00 . 2007-08-16 08:00 431104 c:\windows\Installer\405f71a3.msi
+ 2008-12-13 14:58 . 2008-12-13 14:58 754688 c:\windows\Installer\3829b51.msp
+ 2009-06-01 18:00 . 2009-06-01 18:00 648192 c:\windows\Installer\3829b2b.msi
+ 2008-07-30 02:23 . 2008-07-30 02:23 250880 c:\windows\Installer\3809a8d.msp
+ 2008-07-30 02:28 . 2008-07-30 02:28 278016 c:\windows\Installer\3809a8b.msp
+ 2008-07-30 00:40 . 2008-07-30 00:40 291840 c:\windows\Installer\3809a89.msp
+ 2009-06-01 17:58 . 2009-06-01 17:58 137728 c:\windows\Installer\3809a83.msi
+ 2008-07-29 22:35 . 2008-07-29 22:35 553472 c:\windows\Installer\379c56d.msp
+ 2008-07-29 22:33 . 2008-07-29 22:33 506368 c:\windows\Installer\379c56b.msp
+ 2008-07-29 22:37 . 2008-07-29 22:37 911360 c:\windows\Installer\379c56a.msp
+ 2009-06-13 03:04 . 2009-06-13 03:04 228352 c:\windows\Installer\24d3ef.msi
+ 2006-11-18 09:01 . 2006-11-18 09:01 428544 c:\windows\Installer\22848234.msi
+ 2009-04-11 20:27 . 2009-04-11 20:27 239616 c:\windows\Installer\170552.msi
+ 2009-04-11 20:26 . 2009-04-11 20:26 321536 c:\windows\Installer\17054c.msi
+ 2009-04-11 20:12 . 2009-04-11 20:12 291328 c:\windows\Installer\170538.msi
+ 2009-04-11 20:09 . 2009-04-11 20:09 121344 c:\windows\Installer\17052e.msi
+ 2009-04-11 20:07 . 2009-04-11 20:07 344064 c:\windows\Installer\170528.msi
+ 2009-04-11 20:07 . 2009-04-11 20:07 338944 c:\windows\Installer\170522.msi
+ 2009-04-11 20:06 . 2009-04-11 20:06 557056 c:\windows\Installer\17051c.msi
+ 2009-04-11 20:02 . 2009-04-11 20:02 325632 c:\windows\Installer\170512.msi
+ 2009-04-11 20:01 . 2009-04-11 20:01 316416 c:\windows\Installer\17050c.msi
+ 2009-04-11 20:00 . 2009-04-11 20:00 467456 c:\windows\Installer\170506.msi
+ 2009-04-11 19:57 . 2009-04-11 19:57 488448 c:\windows\Installer\1704ff.msi
+ 2009-04-11 19:56 . 2009-04-11 19:56 537088 c:\windows\Installer\1704f8.msi
+ 2009-04-11 19:50 . 2009-04-11 19:50 121344 c:\windows\Installer\1704e3.msi
+ 2009-04-11 19:48 . 2009-04-11 19:48 489472 c:\windows\Installer\1704dd.msi
+ 2009-04-11 19:47 . 2009-04-11 19:47 667136 c:\windows\Installer\1704d6.msi
+ 2009-04-11 19:44 . 2009-04-11 19:44 492032 c:\windows\Installer\1704cf.msi
+ 2009-04-11 19:43 . 2009-04-11 19:43 121344 c:\windows\Installer\1704c8.msi
+ 2009-04-11 19:39 . 2009-04-11 19:39 425984 c:\windows\Installer\1704b5.msi
+ 2009-04-11 19:39 . 2009-04-11 19:39 437248 c:\windows\Installer\1704af.msi
+ 2009-04-11 19:37 . 2009-04-11 19:37 201728 c:\windows\Installer\1704a8.msi
+ 2009-04-11 19:37 . 2009-04-11 19:37 795136 c:\windows\Installer\1704a2.msi
+ 2009-04-11 19:34 . 2009-04-11 19:34 547840 c:\windows\Installer\17049c.msi
+ 2009-04-11 19:31 . 2009-04-11 19:31 637440 c:\windows\Installer\170495.msi
+ 2009-04-11 19:26 . 2009-04-11 19:26 334848 c:\windows\Installer\17048f.msi
+ 2009-04-04 08:00 . 2009-04-04 08:00 432640 c:\windows\Installer\1688079.msi
+ 2009-07-02 03:03 . 2009-07-02 03:03 536576 c:\windows\Installer\1327e2.msi
+ 2005-09-16 13:51 . 2005-09-16 13:51 264704 c:\windows\Installer\11757f.msi
+ 2009-06-12 01:55 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB969897-IE8\wininet.dll
+ 2009-06-12 01:55 . 2008-07-09 07:38 382840 c:\windows\ie8updates\KB969897-IE8\spuninst\updspapi.dll
+ 2009-06-12 01:55 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB969897-IE8\spuninst\spuninst.exe
+ 2009-06-12 01:55 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB969897-IE8\ieproxy.dll
+ 2009-06-12 01:55 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB969897-IE8\iedkcs32.dll
+ 2009-06-12 01:55 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB969897-IE8\ie4uinit.exe
+ 2009-06-25 01:34 . 2009-06-25 01:34 110592 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-06-25 01:34 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-06-25 01:34 . 2009-06-25 01:34 110592 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-06-25 01:34 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-24 20:38 . 2008-12-24 20:38 386048 c:\windows\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2004-08-04 12:00 . 2004-08-04 12:00 1326080 c:\windows\system32\webfldrs.msi
+ 2004-08-04 12:00 . 2009-04-30 21:22 1207808 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2009-05-13 05:15 5936128 c:\windows\system32\mshtml.dll
- 2006-10-17 16:57 . 2009-03-08 09:32 1985024 c:\windows\system32\iertutil.dll
+ 2006-10-17 16:57 . 2009-04-30 21:22 1985024 c:\windows\system32\iertutil.dll
+ 2009-02-09 11:13 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 12:00 . 2009-04-30 21:22 1207808 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2009-05-13 05:15 5936128 c:\windows\system32\dllcache\mshtml.dll
- 2007-04-25 08:41 . 2009-03-08 09:32 1985024 c:\windows\system32\dllcache\iertutil.dll
+ 2007-04-25 08:41 . 2009-04-30 21:22 1985024 c:\windows\system32\dllcache\iertutil.dll
+ 2009-04-04 03:49 . 2004-08-04 12:00 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2009-04-04 03:47 . 2004-08-04 12:00 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2007-05-25 17:08 . 2007-05-25 17:08 9609728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp
+ 2005-09-16 15:52 . 2005-09-16 15:52 3443712 c:\windows\Installer\d7ff2.msi
+ 2009-04-04 01:45 . 2009-04-04 01:45 1155072 c:\windows\Installer\8d9a9.msi
+ 2009-04-12 22:56 . 2009-04-12 22:56 1894400 c:\windows\Installer\59c84b9.msi
+ 2006-05-04 19:30 . 2006-05-04 19:30 3816960 c:\windows\Installer\3f198.msi
+ 2008-12-13 14:57 . 2008-12-13 14:57 8397824 c:\windows\Installer\3829b3a.msp
+ 2008-07-30 00:26 . 2008-07-30 00:26 1043456 c:\windows\Installer\3809a8c.msp
+ 2008-07-30 01:37 . 2008-07-30 01:37 2679808 c:\windows\Installer\3809a8a.msp
+ 2008-07-30 02:15 . 2008-07-30 02:15 3697664 c:\windows\Installer\3809a88.msp
+ 2008-07-30 00:34 . 2008-07-30 00:34 1448448 c:\windows\Installer\3809a87.msp
+ 2008-07-30 01:22 . 2008-07-30 01:22 4137984 c:\windows\Installer\3809a86.msp
+ 2008-07-30 00:18 . 2008-07-30 00:18 3376640 c:\windows\Installer\3809a85.msp
+ 2008-07-29 22:45 . 2008-07-29 22:45 2543616 c:\windows\Installer\379c571.msp
+ 2008-07-29 22:29 . 2008-07-29 22:29 2926080 c:\windows\Installer\379c570.msp
+ 2008-07-29 22:41 . 2008-07-29 22:41 6487040 c:\windows\Installer\379c56f.msp
+ 2008-07-29 22:39 . 2008-07-29 22:39 3403264 c:\windows\Installer\379c56e.msp
+ 2008-07-29 22:43 . 2008-07-29 22:43 1013248 c:\windows\Installer\379c56c.msp
+ 2008-07-29 22:31 . 2008-07-29 22:31 6083072 c:\windows\Installer\379c569.msp
+ 2007-06-21 14:10 . 2007-06-21 14:10 3200000 c:\windows\Installer\2aab8.msi
+ 2008-01-17 16:13 . 2008-01-17 16:13 1888768 c:\windows\Installer\23c07d7c.msi
+ 2006-05-11 01:09 . 2006-05-11 01:09 2268160 c:\windows\Installer\1ba585d9.msi
+ 2006-05-11 01:04 . 2006-05-11 01:04 2332672 c:\windows\Installer\1ba5850c.msi
+ 2009-04-11 20:22 . 2009-04-11 20:22 1940480 c:\windows\Installer\170545.msi
+ 2009-04-11 20:17 . 2009-04-11 20:17 1332224 c:\windows\Installer\17053f.msi
+ 2009-04-11 19:53 . 2009-04-11 19:53 3155456 c:\windows\Installer\1704f1.msi
+ 2009-06-12 01:55 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB969897-IE8\urlmon.dll
+ 2009-06-12 01:55 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB969897-IE8\mshtml.dll
+ 2009-06-12 01:55 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB969897-IE8\iertutil.dll
+ 2009-06-25 01:34 . 2009-06-25 01:34 3821568 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-06-25 01:34 . 2009-06-25 01:34 3821568 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2005-09-16 15:52 . 2005-09-16 15:52 1863168 c:\windows\Downloaded Installations\{9D3AE421-DA3B-4AE9-8D81-7B876B880C03}\HMTCDWizard.msi
+ 2005-09-16 15:32 . 2009-06-01 16:51 23635392 c:\windows\system32\MRT.exe
+ 2006-11-08 02:03 . 2009-04-30 21:22 11064832 c:\windows\system32\ieframe.dll
+ 2007-04-25 08:41 . 2009-04-30 21:22 11064832 c:\windows\system32\dllcache\ieframe.dll
+ 2009-05-18 13:34 . 2009-05-18 13:35 45664256 c:\windows\Installer\67e415.msi
+ 2009-05-19 23:01 . 2009-05-19 23:01 34966016 c:\windows\Installer\61a4e5.msp
+ 2009-05-19 23:01 . 2009-05-19 23:01 17352192 c:\windows\Installer\61a4e4.msp
+ 2009-05-19 23:01 . 2009-05-19 23:01 26120192 c:\windows\Installer\61a4e3.msp
+ 2009-05-19 23:01 . 2009-05-19 23:01 19272704 c:\windows\Installer\61a4e2.msp
+ 2009-05-19 23:01 . 2009-05-19 23:01 20803072 c:\windows\Installer\61a4e1.msp
+ 2009-05-19 23:01 . 2009-05-19 23:01 25128448 c:\windows\Installer\61a4e0.msp
+ 2008-12-13 15:21 . 2008-12-13 15:21 10473472 c:\windows\Installer\3829b45.msp
+ 2009-06-12 01:55 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB969897-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 988701]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 118784]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-06-10 1794320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-02 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-09-16 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/10/2009 7:15 AM 24096]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [6/10/2009 7:15 AM 132640]
S3 PciPPorts;PCI ECP Parallel Port;c:\windows\system32\drivers\PciPPorts.sys [4/7/2009 8:44 PM 82432]
S4 KLC;KLC;c:\docume~1\Owner\LOCALS~1\Temp\KLC.exe --> c:\docume~1\Owner\LOCALS~1\Temp\KLC.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-07-10 c:\windows\Tasks\User_Feed_Synchronization-{10559F02-1EAB-40B5-BE0A-3C91E4703269}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: {ADD4AAEA-CBAB-4B18-A7E3-AD7EC8FC3E91} = 208.67.222.222,208.67.220.220
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\lbhhoxfz.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 22:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-07-10 22:24
ComboFix-quarantined-files.txt 2009-07-10 03:24
ComboFix2.txt 2009-06-08 02:02

Pre-Run: 53,681,774,592 bytes free
Post-Run: 53,849,763,840 bytes free

358 --- E O F --- 2009-07-10 02:51

[Ried]

It doesn't appear as though the file was uploaded. Did you see a prompt to upload after ComboFix completed the run?

Do you see a C:\CF-Submit.htm

If so, double click that and the upload prompt should open for you.

[maritime.mark]

I just uploaded it. Originally it said that it could not communicate with the server, but this time it did upload to BleepingComputer

Thanks

[Ried]

There it is, thank you.

I realize this next step is time consuming, but it is important to run an online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:


Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

How is the system behaving now? Are you still getting redirected?

[maritime.mark]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 07:11:35
Records in database: 2454193
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
Z:\

Scan statistics:
Files scanned: 80024
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:45:48

No malware has been detected. The scan area is clean.

The selected area was scanned.


I just tested the google links. And they all went to the site they were supposed. Before I noticed the redirects when I would go to antivirus sites. I went to a bunch now, like avg, comodo, and pandascan, and they went right there. So it looks like the redirects are gone.

Thanks alot for your help. This is an excellent site with excellent help

Mark

[Ried]

You're welcome, Mark.

I'm happy to say that your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

Think Prevention
PC Safety and Security--What Do I Need?


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

----------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[maritime.mark]

One more thing, when I start the machine, I get an error window that reads windows cannot find "C:\Combofix\HIDEC.exe. How do I stop this?

and on shutdown, I get the end program window for motivesb.exe, and windows media player network sharing. The bar counts down and closes. The shutdown before last I also got a couple of hp printer programs along with the other two above.

And tomorrow I will donate to combofix, since that appears to be the program that found this problem. Thanks

[Ried]

Do you still get that message about the ComboFix file even after uninstalling ComboFix?

Regarding the shutdown messages, is this something new or has it been happening for a while? What are the Hp printer program files that are taking a while to end task before shutdown?

[maritime.mark]

Yes, it still comes up on startup after uninstall. The shutdown messages have gone away though.

[Ried]

Using Windows Explorer, do you see this folder:

C:\ComboFix

If so, delete that folder. Reboot. Does the error message still appear?

[maritime.mark]

I got to disappear from startup. There was a service wanting to start called PEVSystemStart that was looking for that file. I went into msconfig and unchecked it so it won't start. I attached a .png screen shot of the msconfig window for you to see. The last time I restarted, there was no "cannot find file'' error.

Thanks much for your help and the donation is on the way.

Mark

[Ried]

Thanks Mark, that is quite helpful.

Click Start>Run and copy/paste the following bolded text into the Run box and click OK. It will be quick.

sc delete PEVSystemStart

Reboot. Please confirm that the service is no longer listed for you.

[maritime.mark]

Yes, after I rebooted, it is gone. No problems anymore. Thanks for the excellent job.

Mark