Tech Support Forum banner
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
36 Posts
Discussion Starter · #1 ·
I working on a laptop where whenever the user searches for something on google, yahoo, bing, etc... when they click on one of the results, the browser does not go to the linked address around 75% of the time but is redirected to some other page. Sometimes it's another search service, sometimes an ad, sometimes it times out, but I don't think I've seen the same one twice.

This computer had the Alpha Antivirus scamware on it, but that was removed. I have run my usual suspect cleaning/malware/virus utilities and some small issues were reported at first, but now they all falsely report the computer is clean.

Any suggestions? Thanks.

======


DDS (Ver_09-11-24.02) - NTFSx86
Run by Chris at 17:46:26.26 on Thu 11/26/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2812.1518 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WacomTouchService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\TastyBytes Software\PD+Rescue for iPod\PDHelper.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Download\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
uPolicies-system: DisableTaskMgr =
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli DPPWDFLT
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\h7u8zapt.default\
FF - plugin: c:\program files\view22\version 3.10.50\NPView22.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-6-21 161800]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-25 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-21 333192]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-25 285392]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-6-28 1369384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-24 24652]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [2008-6-28 95528]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-4-30 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-1-24 52736]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
R3 Wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [2007-11-5 10536]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2007-2-22 11312]
R4 PDHelper.exe;PDHelper.exe;c:\program files\tastybytes software\pd+rescue for ipod\PDHelper.exe [2009-6-21 1539470]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-4-30 341328]

=============== Created Last 30 ================

2009-11-26 17:55:52 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-26 17:40:14 0 d-----w- c:\users\chris\appdata\roaming\SUPERAntiSpyware.com
2009-11-26 17:40:14 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 17:37:29 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-26 17:26:52 0 d-----w- c:\program files\CCleaner
2009-11-26 17:24:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-26 17:14:29 0 d-----w- C:\WTablet
2009-11-26 08:08:59 45568 ----a-w- c:\windows\system32\mshta.exe
2009-11-26 08:08:59 385024 ----a-w- c:\windows\system32\html.iec
2009-11-26 08:08:59 169472 ----a-w- c:\windows\system32\iexpress.exe
2009-11-26 08:08:58 109568 ----a-w- c:\windows\system32\PDMSetup.exe
2009-11-26 08:08:58 107520 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2009-11-26 08:08:58 107008 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2009-11-26 08:08:58 103936 ----a-w- c:\windows\system32\SetDepNx.exe
2009-11-26 07:35:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-25 21:45:50 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-25 21:45:28 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-25 21:42:26 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-25 21:41:43 0 d-----w- c:\programdata\Lavasoft
2009-11-25 21:41:43 0 d-----w- c:\program files\Lavasoft
2009-11-25 17:50:00 0 d--h--w- C:\$AVG
2009-11-25 17:49:37 0 d-----w- c:\programdata\avg9
2009-11-25 17:16:15 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 16:56:12 0 d-----w- c:\windows\pss
2009-11-25 16:47:31 0 d-----w- c:\program files\Trend Micro
2009-11-25 16:17:27 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 16:17:26 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-14 08:33:06 0 ----a-w- c:\windows\system32\ÄlÄl
2009-11-12 15:14:46 0 d-----w- c:\program files\common files\AAntivirusUninstall
2009-11-10 20:30:51 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 20:30:47 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 08:22:32 0 ----a-w- c:\windows\system32\ÄSÄS

==================== Find3M ====================

2009-11-25 17:49:54 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 17:49:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-25 17:49:38 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-10 17:30:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-06-19 00:06:28 51200 ----a-w- c:\windows\inf\infpub.dat
2009-06-19 00:06:27 86016 ----a-w- c:\windows\inf\infstor.dat
2009-06-19 00:06:27 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-08-25 02:14:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-07 18:59:10 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-07 18:59:10 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-07 18:59:10 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-05-08 06:33:50 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-08 06:33:50 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-08 06:33:50 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-08-24 14:01:10 22 --sha-w- c:\windows\sminst\HPCD.sys
2008-04-30 05:50:36 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:50:12.68 ===============
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello bcraig15. Are you in the computer repair business?
 

·
Registered
Joined
·
36 Posts
Discussion Starter · #3 ·
Not in the business, more of a hobby. But word goes around fast and I might as well be for family/friends who have messed up computers.

I've examined the computer some more and it appears after a fresh boot it will let you follow several links correctly (around 10) before it will start redirecting. Curiously, several of the redirects have been to legit sites, ex. yahoo jobs.
 

·
Premium Member
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Due to the restrictions on Vista, all tools should be started by right-click > Run as Administrator

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
 

·
Registered
Joined
·
36 Posts
Discussion Starter · #5 ·
Hello, here is the combofix log. Thanks for helping me!

=======


ComboFix 09-11-25.05 - Chris 11/29/2009 18:38.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2812.1492 [GMT -5:00]
Running from: c:\users\Chris\Desktop\New Folder\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3909194050-3920517080-2763849723-500
c:\$recycle.bin\S-1-5-21-3941241407-2991495807-2971739447-500
c:\windows\system32\oem20.inf

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 00:06 . 2009-11-30 00:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-29 19:31 . 2009-11-29 19:32 -------- d-----w- c:\windows\system32\ca-ES
2009-11-29 19:31 . 2009-11-29 19:32 -------- d-----w- c:\windows\system32\eu-ES
2009-11-29 19:31 . 2009-11-29 19:32 -------- d-----w- c:\windows\system32\vi-VN
2009-11-29 18:30 . 2009-11-29 18:30 4096 d-----w- c:\windows\system32\EventProviders
2009-11-26 17:56 . 2009-11-26 21:02 117760 ----a-w- c:\users\Chris\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-26 17:55 . 2009-11-26 17:55 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-26 17:40 . 2009-11-26 17:40 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 17:40 . 2009-11-26 17:40 -------- d-----w- c:\users\Chris\AppData\Roaming\SUPERAntiSpyware.com
2009-11-26 17:37 . 2009-11-26 17:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-26 17:26 . 2009-11-26 17:26 -------- d-----w- c:\program files\CCleaner
2009-11-26 17:14 . 2009-11-26 17:14 -------- d-----w- C:\WTablet
2009-11-26 08:08 . 2009-03-08 11:32 169472 ----a-w- c:\windows\system32\iexpress.exe
2009-11-26 08:08 . 2009-03-08 11:31 45568 ----a-w- c:\windows\system32\mshta.exe
2009-11-26 08:08 . 2009-03-08 11:33 109568 ----a-w- c:\windows\system32\PDMSetup.exe
2009-11-26 08:08 . 2009-03-08 11:33 107520 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2009-11-26 08:08 . 2009-03-08 11:33 107008 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2009-11-26 08:08 . 2009-03-08 11:33 103936 ----a-w- c:\windows\system32\SetDepNx.exe
2009-11-26 07:35 . 2009-11-25 21:45 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-25 21:44 . 2009-11-25 21:44 5908024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-25 21:44 . 2009-11-25 21:44 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-25 21:44 . 2009-11-25 21:44 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-25 21:44 . 2009-11-25 21:44 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-25 21:44 . 2009-11-25 21:44 641632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-25 21:44 . 2009-11-25 21:44 816272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-25 21:44 . 2009-11-25 21:44 822904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-25 21:44 . 2009-11-25 21:44 1638640 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-25 21:44 . 2009-11-25 21:44 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-25 21:44 . 2009-11-25 21:44 1184912 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-25 21:42 . 2009-11-25 21:42 4096 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-25 21:42 . 2009-10-03 08:15 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-25 21:41 . 2009-11-25 21:45 -------- d-----w- c:\programdata\Lavasoft
2009-11-25 21:41 . 2009-11-25 21:41 -------- d-----w- c:\program files\Lavasoft
2009-11-25 17:50 . 2009-11-25 17:57 -------- d-----w- C:\$AVG
2009-11-25 17:49 . 2009-11-25 17:49 4096 d-----w- c:\programdata\avg9
2009-11-25 17:46 . 2009-11-18 14:53 3775256 ----a-w- c:\programdata\TEMP\AVG\setup.exe
2009-11-25 17:16 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 16:47 . 2009-11-25 16:47 -------- d-----w- c:\program files\Trend Micro
2009-11-25 16:17 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 16:17 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 06:27 . 2009-11-25 06:27 4045528 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-12 15:14 . 2009-11-12 15:14 -------- d-----w- c:\program files\Common Files\AAntivirusUninstall
2009-11-10 20:30 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 20:30 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 19:46 . 2008-08-24 05:08 -------- d-----w- c:\users\Chris\AppData\Roaming\WTablet
2009-11-29 19:34 . 2008-06-28 08:26 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-29 19:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-29 19:32 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-29 19:32 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-11-29 19:32 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
2009-11-29 19:32 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
2009-11-29 19:32 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-11-29 19:32 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-11-29 19:31 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-27 07:06 . 2008-09-20 04:15 1356 ----a-w- c:\users\Chris\AppData\Local\d3d9caps.dat
2009-11-26 21:29 . 2008-12-06 17:58 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-26 21:23 . 2008-12-06 17:58 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-26 21:01 . 2008-08-24 05:24 106552 ----a-w- c:\users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-25 17:49 . 2009-06-21 20:56 -------- d-----w- c:\program files\AVG
2009-11-25 17:49 . 2008-10-26 20:56 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-25 17:49 . 2009-06-21 20:56 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-25 17:49 . 2009-06-21 20:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-25 17:49 . 2009-06-21 20:57 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-25 06:32 . 2008-12-06 17:59 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 01:42 . 2009-10-02 17:07 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-23 12:55 . 2009-11-25 21:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-14 09:29 . 2009-10-14 20:05 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 19:54 . 2009-06-22 04:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-22 04:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 16:48 . 2009-10-14 20:12 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 11:41 . 2009-10-14 20:05 60928 ----a-w- c:\windows\system32\msasn1.dll
2008-08-24 14:01 . 2008-08-24 14:01 22 --sha-w- c:\windows\SMINST\HPCD.sys
2008-04-30 05:50 . 2008-04-30 05:50 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-07-12 226904]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-11-01 671744]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-25 2020120]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-02-13 4915200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):61,5e,d8,bf,2b,71,ca,01

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [6/21/2009 3:57 PM 161800]
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [11/25/2009 4:45 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [6/21/2009 3:56 PM 333192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/25/2009 12:49 PM 285392]
R2 TabletServicePen;TabletServicePen;c:\windows\System32\Pen_Tablet.exe [6/28/2008 3:30 AM 1369384]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/24/2008 1:07 AM 24652]
R2 WacomTouchService;Wacom Touch Service;c:\windows\System32\WacomTouchService.exe [6/28/2008 3:31 AM 95528]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [4/30/2008 2:42 AM 193840]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [1/24/2008 8:23 AM 52736]
R3 Wacomhidfilter;Wacom HID Filter;c:\windows\System32\drivers\wacomhidfilter.sys [11/5/2007 11:39 AM 10536]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\System32\drivers\WacomVTHid.sys [2/22/2007 9:55 AM 11312]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
S4 PDHelper.exe;PDHelper.exe;c:\program files\TastyBytes Software\PD+Rescue for iPod\PDHelper.exe [6/21/2009 10:23 PM 1539470]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [4/30/2008 3:57 AM 341328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\h7u8zapt.default\
FF - plugin: c:\program files\View22\Version 3.10.50\NPView22.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Ad-Aware - c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe verbose
AddRemove-AAntivirus - c:\program files\AAntivirus\alpha.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 19:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\DPPWDFLT.dll
.
Completion time: 2009-11-29 19:18
ComboFix-quarantined-files.txt 2009-11-30 00:17

Pre-Run: 99,635,511,296 bytes free
Post-Run: 99,036,450,816 bytes free

- - End Of File - - AD284CFF840B1E667DAC621CD77CD9CF
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, bcraig15. Is this machine still being redirected?

Running from: c:\users\Chris\Desktop\New Folder\ComboFix.exe
You were specifically instructed to save ComboFix directly to your desktop.

Please move it there.

------------------------------------------------------
 

·
Registered
Joined
·
36 Posts
Discussion Starter · #7 ·
Sorry about that, I assumed that it just said save to desktop because it would be easier for most users to find.

I currently don't have access to the computer, but I will be able to check it out again fairly soon. I have requested the owner not to use it until I can check it again. I know the general statue of limitations is 4 days on here, so I will do whatever you want me to in terms of reporting back. Thanks again!
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top