Active Google Redirect

jbsather · 2009/09/28

[Active] Google Redirect

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\XoftSpySE6\XoftSpySE.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbvcoms.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [XoftSpySE] "c:\program files\xoftspyse6\XoftSpySE.exe" -NM -hidesplash
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: UseDefaultTile = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: google.com\mail
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\vh46ke0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - search
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.allow_platform_file_picker ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.remoteLookups ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.updateURL ", "http://sb.google.com/safebrowsing/update?client={moz:client}&mozver={moz:version}-{moz:buildid}& ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.lookupURL ", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&mozver={moz:version}-{moz:buildid}& ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.reportURL ", "http://sb.google.com/safebrowsing/report? ");

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070821.001\IDSvix86.sys [2007-8-23 212280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 lxbv_device;lxbv_device;c:\windows\system32\lxbvcoms.exe -service --> c:\windows\system32\lxbvcoms.exe -service [?]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-8-15 112688]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-9 38200]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2006-11-2 16896]
R3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-8-28 582424]
S2 gupdate1c98d34b0167f50;Google Update Service (gupdate1c98d34b0167f50);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-13 38224]

=============== Created Last 30 ================

2009-09-19 02:30 <DIR> --d----- c:\programdata\ParetoLogic
2009-09-19 02:30 <DIR> --d----- c:\progra~2\ParetoLogic
2009-09-19 02:30 <DIR> --d----- c:\programdata\XoftSpySE
2009-09-19 02:30 <DIR> --d----- c:\progra~2\XoftSpySE
2009-09-19 02:30 <DIR> --d----- c:\program files\XoftSpySE6
2009-09-19 00:44 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-09-19 00:44 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-09-19 00:43 <DIR> --d----- c:\users\owner\appdata\roaming\SUPERAntiSpyware.com
2009-09-19 00:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-13 23:17 <DIR> --d----- c:\programdata\WINSPSys
2009-09-13 23:17 <DIR> --d----- c:\progra~2\WINSPSys
2009-09-13 15:14 268 a---h--- C:\sqmdata00.sqm
2009-09-13 15:14 244 a---h--- C:\sqmnoopt00.sqm
2009-09-13 12:35 <DIR> --d----- c:\users\owner\appdata\roaming\Malwarebytes
2009-09-13 12:35 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 12:35 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-13 12:35 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-13 12:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 12:35 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-12 14:21 <DIR> --dsh--- c:\programdata\76018f2
2009-09-12 14:21 <DIR> --dsh--- c:\progra~2\76018f2
2009-09-07 01:41 <DIR> --d----- c:\programdata\Apple

==================== Find3M ====================

2009-09-10 11:48 93,552 a------- c:\windows\help\oem\scripts\RegRestore.exe
2009-09-10 11:48 12,288 a------- c:\windows\help\oem\scripts\BackgroundCopyManager1_5.dll
2009-09-10 11:48 9,728 a------- c:\windows\help\oem\scripts\BackgroundCopyManager.DLL
2009-08-11 20:51 17,160 a------- c:\windows\help\oem\scripts\HC_RegistrationRecovery.exe
2009-06-30 15:36 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryReplaceNew.exe
2009-06-30 15:10 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryNoTravel.exe
2009-06-30 15:03 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryAccessories.exe
2009-06-30 12:44 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryWeakNew.exe
2009-06-26 18:36 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryUpgrade.exe
2008-10-30 10:57 212 ----h--- c:\users\owner\appdata\roaming\srfvdo.dat
2008-09-02 22:54 174 a--sh--- c:\program files\desktop.ini
2008-08-27 15:58 13,025 a------- c:\users\owner\appdata\roaming\nvModes.dat
2007-08-23 11:32 86,016 a------- c:\windows\inf\infstrng.dat
2007-08-23 11:32 51,200 a------- c:\windows\inf\infpub.dat
2007-08-23 11:24 86,016 a------- c:\windows\inf\infstor.dat
2007-08-23 11:00 78 a------- C:\lxbv.log
2007-08-17 18:42 984 a---h--- C:\IPH.PH
2007-08-03 13:46 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:53 438,840 a--shr-- C:\bootmgr
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 5:45:26.45 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft® Windows Vistaâ„¢ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 7/17/2007 9:54:35 PM
System Uptime: 9/23/2009 12:08:00 AM (5 hours ago)

Motherboard: Quanta | | 30B7
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-56 | Socket S1 | 800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 141 GiB total, 86.234 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 1.764 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0004
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #3
PNP Device ID: ROOT\*6TO4MP\0004
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0005
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #4
PNP Device ID: ROOT\*6TO4MP\0005
Service: tunnel

==== System Restore Points ===================

RP641: 9/13/2009 8:18:00 AM - Scheduled Checkpoint
RP642: 9/14/2009 12:09:28 AM - Scheduled Checkpoint
RP643: 9/14/2009 8:31:51 PM - Scheduled Checkpoint
RP644: 9/16/2009 12:00:01 AM - Scheduled Checkpoint
RP645: 9/17/2009 12:00:02 AM - Scheduled Checkpoint
RP646: 9/17/2009 10:55:14 PM - Scheduled Checkpoint
RP647: 9/19/2009 12:43:11 AM - Installed SUPERAntiSpyware Free Edition
RP648: 9/19/2009 11:33:53 PM - Scheduled Checkpoint
RP649: 9/21/2009 12:02:36 AM - Scheduled Checkpoint
RP650: 9/22/2009 12:00:01 AM - Scheduled Checkpoint
RP651: 9/23/2009 1:03:52 AM - Scheduled Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 8.1.0
AIM 6
AppCore
Apple Software Update
AV
ccCommon
Conexant HD Audio
ESU for Microsoft Vista
Google Chrome
Google Earth
Google Talk (remove only)
Google Update Helper
Google Updater
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Easy Setup - Frontend
HP Help and Support
HP Pavilion Webcam Driver for Vista v061.001.00005
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Quick Launch Buttons 6.20 B1
HP QuickPlay 3.2
HP Update
HP User Guides 0041
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
iPod for Windows 2005-10-12
iTunes
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6
Lexmark 2200 Series
LightScribe 1.4.136.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008 Equifax Addin
Microsoft Office Accounting 2008 Fixed Asset Manager
Microsoft Office Accounting 2008 PayPal Addin
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote 2007
Microsoft Office OneNote 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Move Networks Media Player for Internet Explorer
Mozilla Firefox (2.0)
MSCU for Microsoft Vista
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
muvee autoProducer 6.0
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
PSSWCORE
QuickTime
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Soft Data Fax Modem with SmartCP
SofTest
SUPERAntiSpyware Free Edition
SwiftView Viewer
SymNet
Synaptics Pointing Device Driver
Viewpoint Media Player
Windows Live Messenger
XoftSpySE

==== Event Viewer Messages From Past Week ========

9/23/2009 2:09:30 AM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +475487 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->207.46.197.32:123) is working properly.
9/22/2009 9:02:25 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +475217 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->207.46.197.32:123) is working properly.
9/19/2009 12:38:53 AM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +331041 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->207.46.197.32:123) is working properly.
9/19/2009 1:29:43 AM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +331042 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->207.46.232.182:123) is working properly.
9/18/2009 7:09:40 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +327054 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->207.46.197.32:123) is working properly.
9/18/2009 7:07:28 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 140.209.179.37 for the Network Card with network address 001A73767828 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
9/18/2009 4:22:43 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.100 for the Network Card with network address 001A73767828 has been denied by the DHCP server 140.209.70.20 (The DHCP Server sent a DHCPNACK message).
9/17/2009 7:39:25 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the service.
9/17/2009 7:37:23 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +319182 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->207.46.197.32:123) is working properly.
9/17/2009 7:24:14 PM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 3, function 0. Please contact your system vendor for technical assistance.
9/17/2009 7:24:14 PM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 2, function 0. Please contact your system vendor for technical assistance.
9/17/2009 4:24:22 PM, Error: Service Control Manager [7001] - The CyberLink Task Scheduler (CTS) service depends on the CyberLink Background Capture Service (CBCS) service which failed to start because of the following error: After starting, the service hung in a start-pending state.
9/17/2009 4:24:21 PM, Error: Service Control Manager [7022] - The CyberLink Background Capture Service (CBCS) service hung on starting.
9/17/2009 4:23:30 PM, Error: Service Control Manager [7000] - The UAC File Virtualization service failed to start due to the following error: A device attached to the system is not functioning.
9/17/2009 4:23:19 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
9/17/2009 4:22:10 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{F4B45C4B-CA57-48F6-8B46-DD8BB6F664AA} because another computer on the network has the same name. The server could not start.
9/17/2009 4:22:10 PM, Error: netbt [4321] - The name "OWNER-PC :20" could not be registered on the interface with IP address 140.209.179.37. The computer with the IP address 140.209.70.5 did not allow the name to be claimed by this computer.
9/17/2009 4:22:09 PM, Error: netbt [4321] - The name "OWNER-PC :0" could not be registered on the interface with IP address 140.209.179.37. The computer with the IP address 140.209.70.5 did not allow the name to be claimed by this computer.
9/17/2009 4:22:05 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.102 for the Network Card with network address 001A73767828 has been denied by the DHCP server 140.209.70.20 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

broni · 2009/09/28

First part of DDS log has very top part missing.
Please, repost missing part.

Which browser is getting redirected?

jbsather · 2009/09/28

Sorry about that. Internet Explorer and Firefox are both getting redirected. Thanks so much for your help.

DDS (Ver_09-09-29.01) - NTFSx86
Run by owner at 5:44:14.71 on Wed 09/23/2009
Internet Explorer: 7.0.6000.16512
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1059 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\XoftSpySE6\XoftSpySE.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbvcoms.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [XoftSpySE] "c:\program files\xoftspyse6\XoftSpySE.exe" -NM -hidesplash
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: UseDefaultTile = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: google.com\mail
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\vh46ke0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - search
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.allow_platform_file_picker ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.remoteLookups ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.updateURL ", "http://sb.google.com/safebrowsing/update?client={moz:client}&mozver={moz:version}-{moz:buildid}& ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.lookupURL ", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&mozver={moz:version}-{moz:buildid}& ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.reportURL ", "http://sb.google.com/safebrowsing/report? ");

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070821.001\IDSvix86.sys [2007-8-23 212280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 lxbv_device;lxbv_device;c:\windows\system32\lxbvcoms.exe -service --> c:\windows\system32\lxbvcoms.exe -service [?]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-8-15 112688]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-9 38200]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2006-11-2 16896]
R3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-8-28 582424]
S2 gupdate1c98d34b0167f50;Google Update Service (gupdate1c98d34b0167f50);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-13 38224]

=============== Created Last 30 ================

2009-09-19 02:30 <DIR> --d----- c:\programdata\ParetoLogic
2009-09-19 02:30 <DIR> --d----- c:\progra~2\ParetoLogic
2009-09-19 02:30 <DIR> --d----- c:\programdata\XoftSpySE
2009-09-19 02:30 <DIR> --d----- c:\progra~2\XoftSpySE
2009-09-19 02:30 <DIR> --d----- c:\program files\XoftSpySE6
2009-09-19 00:44 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-09-19 00:44 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-09-19 00:43 <DIR> --d----- c:\users\owner\appdata\roaming\SUPERAntiSpyware.com
2009-09-19 00:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-13 23:17 <DIR> --d----- c:\programdata\WINSPSys
2009-09-13 23:17 <DIR> --d----- c:\progra~2\WINSPSys
2009-09-13 15:14 268 a---h--- C:\sqmdata00.sqm
2009-09-13 15:14 244 a---h--- C:\sqmnoopt00.sqm
2009-09-13 12:35 <DIR> --d----- c:\users\owner\appdata\roaming\Malwarebytes
2009-09-13 12:35 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 12:35 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-13 12:35 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-13 12:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 12:35 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-12 14:21 <DIR> --dsh--- c:\programdata\76018f2
2009-09-12 14:21 <DIR> --dsh--- c:\progra~2\76018f2
2009-09-07 01:41 <DIR> --d----- c:\programdata\Apple

==================== Find3M ====================

2009-09-10 11:48 93,552 a------- c:\windows\help\oem\scripts\RegRestore.exe
2009-09-10 11:48 12,288 a------- c:\windows\help\oem\scripts\BackgroundCopyManager1_5.dll
2009-09-10 11:48 9,728 a------- c:\windows\help\oem\scripts\BackgroundCopyManager.DLL
2009-08-11 20:51 17,160 a------- c:\windows\help\oem\scripts\HC_RegistrationRecovery.exe
2009-06-30 15:36 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryReplaceNew.exe
2009-06-30 15:10 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryNoTravel.exe
2009-06-30 15:03 18,696 a------- c:\windows\help\oem\scripts\HC_BatteryAccessories.exe
2009-06-30 12:44 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryWeakNew.exe
2009-06-26 18:36 18,184 a------- c:\windows\help\oem\scripts\HC_BatteryUpgrade.exe
2008-10-30 10:57 212 ----h--- c:\users\owner\appdata\roaming\srfvdo.dat
2008-09-02 22:54 174 a--sh--- c:\program files\desktop.ini
2008-08-27 15:58 13,025 a------- c:\users\owner\appdata\roaming\nvModes.dat
2007-08-23 11:32 86,016 a------- c:\windows\inf\infstrng.dat
2007-08-23 11:32 51,200 a------- c:\windows\inf\infpub.dat
2007-08-23 11:24 86,016 a------- c:\windows\inf\infstor.dat
2007-08-23 11:00 78 a------- C:\lxbv.log
2007-08-17 18:42 984 a---h--- C:\IPH.PH
2007-08-03 13:46 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:53 438,840 a--shr-- C:\bootmgr
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 5:45:26.45 ===============

broni · 2009/09/28

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

jbsather · 2009/09/28

I am unable to run hijack this; a message pops up that says "the directory name is invalid ".

Also - after using ComboFix I see some change (I am able to access my gmail account) but my browser is still getting redirected. Could I have done something incorrectly? I closed the log that came up when ComboFix finished without remembering to post it here.

broni · 2009/09/29

You can find Combofix log here:
C:\ComboFix.txt
Please, post it back here.

jbsather · 2009/09/29

Thank you.

ComboFix 09-09-28.01 - owner 09/23/2009 11:14.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1182 [GMT -5:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1306287580-3038602635-565361507-500
c:\$recycle.bin\S-1-5-21-2453204504-1212962447-1845228623-500
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\programdata\WINSPSys
c:\programdata\WINSPSys\winps.cfg
C:\System
c:\system\msadc\msadce.dll
c:\windows\system32\MabryObj.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-23 16:27 . 2009-09-23 16:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-13 22:14 . 2009-09-13 22:14 43 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
2009-09-13 21:48 . 2009-09-13 21:48 39 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\hymt.drv
2009-09-13 21:12 . 2009-09-13 21:12 64 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\FW.sys
2009-09-13 20:11 . 2009-09-13 20:11 20 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
2009-09-13 20:01 . 2009-09-13 20:01 22 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
2009-09-13 19:16 . 2009-09-13 19:16 26 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
2009-09-13 18:04 . 2009-09-13 18:04 77 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\ddv.exe
2009-09-13 17:43 . 2009-09-13 17:43 20 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.drv
2009-09-13 17:35 . 2009-09-13 17:35 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2009-09-13 17:35 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 17:35 . 2009-09-13 17:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 17:35 . 2009-09-13 17:35 -------- d-----w- c:\programdata\Malwarebytes
2009-09-13 17:35 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 17:01 . 2009-09-13 17:01 69 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.sys
2009-09-13 16:40 . 2009-09-13 16:40 70 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.dll
2009-09-13 16:30 . 2009-09-13 16:30 52 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\grid.dll
2009-09-13 16:09 . 2009-09-13 18:36 67 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\eb.exe
2009-09-13 15:59 . 2009-09-13 17:11 74 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\std.sys
2009-09-13 14:07 . 2009-09-13 14:07 58 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
2009-09-13 10:41 . 2009-09-13 10:41 62 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
2009-09-13 10:20 . 2009-09-13 12:51 21 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv
2009-09-12 20:33 . 2009-09-12 20:33 30 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
2009-09-12 20:32 . 2009-09-12 20:32 6 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.sys
2009-09-12 19:21 . 2009-09-14 04:18 -------- d-sh--w- c:\programdata\76018f2
2009-09-07 06:41 . 2009-09-07 06:41 -------- d-----w- c:\programdata\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 16:28 . 2007-08-03 17:52 262144 ---ha-w- c:\users\owner\ntuser.dat.LOG1
2009-09-23 16:28 . 2006-11-02 12:47 136192 ---ha-w- c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
2009-09-23 16:28 . 2006-11-02 12:47 136192 ---ha-w- c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
2009-09-23 16:28 . 2006-11-02 11:18 -------- d-----w- C:\Windows
2009-09-23 16:28 . 2006-11-02 10:23 215 ----a-w- c:\windows\system.ini
2009-09-23 16:27 . 2007-08-03 17:52 -------- d-----w- c:\users\owner\AppData\Local\Temp
2009-09-23 16:26 . 2006-11-02 11:18 -------- d-----w- C:\ProgramData
2009-09-23 16:26 . 2006-11-02 11:18 -------- d-----w- c:\windows\System32
2009-09-23 16:21 . 2006-11-02 11:18 -------- d-----w- c:\windows\system32\drivers
2009-09-23 16:21 . 2006-11-02 11:18 -------- d-----w- c:\windows\AppPatch
2009-09-23 16:12 . 2006-11-02 12:43 9216 ---ha-w- c:\windows\system32\config\systemprofile\ntuser.dat.LOG1
2009-09-23 16:12 . 2006-11-02 12:33 262144 ---ha-w- c:\users\Default\ntuser.dat.LOG1
2009-09-23 16:08 . 2006-11-02 12:47 3072 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2009-09-23 16:08 . 2006-11-02 12:47 3072 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2009-09-23 13:10 . 2007-07-18 02:54 1934387 ----a-w- c:\windows\WindowsUpdate.log
2009-09-23 05:17 . 2007-05-29 07:23 -------- d-sh--w- c:\windows\Installer
2009-09-23 05:13 . 2006-11-02 11:18 -------- d-----w- c:\windows\Tasks
2009-09-23 05:09 . 2006-11-02 11:18 -------- d-----w- c:\windows\system32\wbem\repository
2009-09-23 04:15 . 2007-08-03 18:14 1770630 ---ha-w- c:\users\owner\AppData\Local\IconCache.db
2009-09-23 04:15 . 2009-08-23 08:12 -------- d-----w- c:\users\owner\New Folder
2009-09-22 17:59 . 2009-02-12 17:08 -------- d-----w- c:\programdata\Google Updater
2009-09-20 04:09 . 2006-11-02 13:05 -------- d-----w- c:\windows\system32\wbem\Performance
2009-09-20 04:09 . 2006-11-02 11:18 -------- d-----w- c:\windows\inf
2009-09-20 04:09 . 2006-11-02 10:33 782632 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-09-20 02:44 . 2009-08-24 07:30 -------- d-----w- c:\users\owner\New Folder (4)
2009-09-19 23:37 . 2006-11-02 11:18 -------- d-----w- c:\windows\system32\catroot2
2009-09-19 22:32 . 2009-08-24 07:30 -------- d-----w- c:\users\owner\New Folder (2)
2009-09-19 07:30 . 2009-09-19 07:30 -------- d-----w- c:\program files\XoftSpySE6
2009-09-19 07:30 . 2006-11-02 11:18 -------- d-----w- c:\windows\system32\Tasks
2009-09-19 07:30 . 2009-09-19 07:30 -------- d-----w- c:\programdata\ParetoLogic
2009-09-19 07:30 . 2006-11-02 11:18 -------- d-----w- c:\program files\Common Files
2009-09-19 07:30 . 2009-09-19 07:30 -------- d-----w- c:\programdata\XoftSpySE
2009-09-19 07:30 . 2006-11-02 11:18 -------- d-----r- C:\Program Files
2009-09-19 05:44 . 2009-09-19 05:44 117760 ----a-w- c:\users\owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-19 05:44 . 2009-09-19 05:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-19 05:43 . 2009-09-19 05:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-19 05:43 . 2009-09-19 05:43 -------- d-----w- c:\users\owner\AppData\Roaming\SUPERAntiSpyware.com
2009-09-19 03:20 . 2009-08-24 07:30 -------- d-----w- c:\users\owner\New Folder (3)
2009-09-18 23:15 . 2009-08-23 08:12 -------- d-----w- c:\users\owner\New Folder (1)
2009-09-14 23:43 . 2006-11-02 11:18 -------- d-s---w- c:\windows\Downloaded Program Files
2009-09-14 05:22 . 2007-08-29 00:47 -------- d-----w- c:\users\owner\AppData\Local\Apple Computer
2009-09-14 01:04 . 2009-09-12 19:22 48 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\eb.dll
2009-09-13 22:47 . 2009-09-12 19:22 50 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\exec.dll
2009-09-13 21:03 . 2009-08-31 04:14 1438 ----a-w- c:\windows\setupact.log
2009-09-13 20:14 . 2009-09-13 20:14 268 ---ha-w- C:\sqmdata00.sqm
2009-09-13 20:14 . 2009-09-13 20:14 244 ---ha-w- C:\sqmnoopt00.sqm
2009-09-13 19:05 . 2009-09-12 19:22 16 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.exe
2009-09-13 18:54 . 2007-05-29 08:21 -------- d-----w- c:\windows\SMINST
2009-09-13 14:16 . 2007-08-07 18:21 13025 ----a-w- c:\users\owner\AppData\Roaming\nvModes.001
2009-09-13 12:37 . 2007-08-03 17:52 262144 ---ha-w- c:\users\owner\ntuser.dat.LOG2
2009-09-12 19:22 . 2009-09-12 19:22 27 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\exec.exe
2009-09-12 19:22 . 2009-09-12 19:22 25 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
2009-09-12 19:22 . 2009-09-12 19:22 78 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\ppal.dll
2009-09-12 19:22 . 2009-09-12 19:22 42 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\fix.dll
2009-09-12 19:22 . 2009-09-12 19:22 42 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
2009-09-12 19:22 . 2009-09-12 19:22 31 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
2009-09-12 19:22 . 2009-09-12 19:22 21 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\std.drv
2009-09-12 19:22 . 2009-09-12 19:22 28 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
2009-09-12 19:22 . 2009-09-12 19:22 62 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
2009-09-12 19:22 . 2009-09-12 19:22 20 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
2009-09-12 19:22 . 2009-09-12 19:22 73 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\pal.sys
2009-09-12 19:22 . 2009-09-12 19:22 42 ----a-w- c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\cb.dll
2009-09-07 07:35 . 2007-10-22 03:52 -------- d-----w- c:\program files\Apple Software Update
2009-09-07 07:35 . 2007-05-29 07:41 85320 ----a-w- c:\windows\PFRO.log
2009-09-07 06:43 . 2007-08-24 00:03 -------- d-----w- c:\windows\Common Files
2009-08-31 22:37 . 2006-11-02 11:18 -------- d-----w- c:\windows\system32\wbem\Logs
2009-08-31 04:14 . 2009-08-31 04:14 0 ----a-w- c:\windows\setuperr.log
2009-08-24 07:30 . 2009-08-24 07:30 -------- d-----w- c:\users\owner\New Folder (5)
2009-05-03 20:52 . 2007-08-23 18:27 18 ----a-w- c:\users\owner\AppData\Local\msesbucf.txt
2009-05-03 20:50 . 2007-08-23 18:27 384786 ----a-w- c:\windows\jgzr.dat
2009-05-01 22:29 . 2007-08-03 18:05 107136 ----a-w- c:\users\owner\AppData\Local\GDIPFONTCACHEV1.DAT
2008-11-19 19:52 . 2008-11-19 19:52 51224 ----a-w- c:\windows\system32\wuauclt.exe
2008-11-19 19:52 . 2008-11-19 19:52 43544 ----a-w- c:\windows\system32\wups2.dll
2008-11-19 19:52 . 2008-11-19 19:52 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2008-11-19 19:52 . 2008-11-19 19:52 1524736 ----a-w- c:\windows\system32\wucltux.dll
2008-11-12 18:38 . 2008-11-12 18:38 441344 ----a-w- c:\windows\system32\savst.exe
2008-10-30 21:16 . 2007-08-24 02:54 376 ----a-w- c:\windows\ODBC.INI
2008-10-30 18:07 . 2008-10-30 15:57 83 ----a-w- c:\users\owner\AppData\Roaming\sview.ini
2008-10-30 15:57 . 2008-10-30 15:57 212 ---h--w- c:\users\owner\AppData\Roaming\srfvdo.dat
2008-10-30 15:57 . 2008-10-30 15:57 0 ----a-w- c:\windows\system32\srfvdo.dat
2008-10-28 16:52 . 2008-10-28 16:52 36864 ----a-w- c:\windows\system32\eswinsr.exe
2008-09-03 03:54 . 2006-11-02 12:50 749 ---ha-r- c:\windows\WindowsShell.Manifest
2008-09-03 02:52 . 2007-05-29 08:01 3064 ----a-w- c:\programdata\hpzinstall.log
2008-09-03 02:16 . 2008-08-21 15:34 156615 ------w- c:\windows\hphins26.dat.temp
2008-08-27 20:58 . 2007-08-07 14:26 13025 ----a-w- c:\users\owner\AppData\Roaming\nvModes.dat
2008-08-21 21:32 . 2008-08-21 21:31 265122 ----a-w- c:\windows\msxml4-KB941833-enu.LOG
2008-08-21 21:20 . 2008-08-21 21:20 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2008-08-21 21:20 . 2008-08-21 21:20 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2008-08-21 21:20 . 2008-08-21 21:20 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2008-08-21 21:20 . 2008-08-21 21:20 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-08-21 21:20 . 2008-08-21 21:20 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-21 21:20 . 2008-08-21 21:20 84480 ----a-w- c:\windows\system32\INETRES.dll
2008-08-21 21:20 . 2008-08-21 21:20 737792 ----a-w- c:\windows\system32\inetcomm.dll
2008-08-21 21:20 . 2008-08-21 21:20 1327104 ----a-w- c:\windows\system32\quartz.dll
2008-08-21 21:19 . 2008-08-21 21:19 80896 ----a-w- c:\windows\system32\MSNP.ax
2008-08-21 21:19 . 2008-08-21 21:19 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2008-08-21 21:19 . 2008-08-21 21:19 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2008-08-21 21:19 . 2008-08-21 21:19 428032 ----a-w- c:\windows\system32\EncDec.dll
2008-08-21 21:19 . 2008-08-21 21:19 292352 ----a-w- c:\windows\system32\psisdecd.dll
2008-08-21 21:19 . 2008-08-21 21:19 218624 ----a-w- c:\windows\system32\psisrndr.ax
2006-10-11 08:04 . 2008-07-25 15:26 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-07-25 15:26 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-07-25 15:26 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-07-25 15:26 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-07-25 15:26 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2006-11-02 1196032]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2007-08-03 1006264]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"hpWirelessAssistant "= "c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage "= "c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"MSConfig "= "c:\windows\system32\msconfig.exe" [2006-11-02 222208]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"XoftSpySE "= "c:\program files\XoftSpySE6\XoftSpySE.exe" [2009-08-28 4853016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser "= 2 (0x2)
"HideFastUserSwitching "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDefaultTile "= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Users^owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FABC5D01-90B9-4323-978A-1BC9E0C4B648} "= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{9D839C64-DF27-43D5-9374-45F410999409} "= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{3E1165D4-6501-4D5C-B527-FD0719E2BFBF} "= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AF3360B3-52FB-47E0-B472-39F5E0A261E2} "= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6466F7C8-9789-4F93-B00F-3F85CFE814FB} "= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2346F100-EA86-48A7-B581-AAFCBAC9515D} "= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9EF3943E-DCE5-480B-ADBE-BDF50FFDB414} "= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{118BCD34-FAA4-4805-883F-0965C17EE6F0} "= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F0EA9558-4FA1-437D-B220-2B1FC422C198} "= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{CC784AA0-2F54-4ACC-A640-6AA120F6B37C} "= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E913BDCC-48EB-47B1-AC1A-78DE79DDC017} "= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5868421C-8230-4E49-9095-524DB2595E2D} "= UDP:c:\windows\System32\lxbvcoms.exe:Lexmark Communications System
"{6E331140-9052-4473-9BAF-37D01EA95F8B} "= TCP:c:\windows\System32\lxbvcoms.exe:Lexmark Communications System
"{31E347ED-DF5E-4749-A3A4-BADA40EE37A0} "= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbvpswx.exerinter Status Window
"{0E2CA08D-497F-47E2-AD26-B39CE71A1DE1} "= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbvpswx.exerinter Status Window
"TCP Query User{B1EB4C20-5C32-41E4-A699-38DBFE140ABC}c:\\program files\\soulseek\\slsk.exe "= UDP:c:\program files\soulseek\slsk.exe:SoulSeek
"UDP Query User{01A4A5FB-D45F-4467-8816-EEC4412047C3}c:\\program files\\soulseek\\slsk.exe "= TCP:c:\program files\soulseek\slsk.exe:SoulSeek
"{4C2731B2-25FE-43BD-BFD0-3E4291B29968} "= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{29CD6B47-2628-47E7-BBC9-04247519763F} "= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{28741954-6AD7-4D2D-9D67-C2CB8690C5CE}c:\\program files\\internet explorer\\iexplore.exe "= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{3A6DF178-C637-40CF-A995-2F024F903A42}c:\\program files\\internet explorer\\iexplore.exe "= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{F2FBE808-C3D4-4420-A072-8F368C7BF7A3}c:\\program files\\bitcomet\\bitcomet.exe "= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{442E13B5-394D-49FA-98BE-C4E9652DEB03}c:\\program files\\bitcomet\\bitcomet.exe "= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{13448185-85B1-480D-B022-0070FF2DBA9C} "= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5B57FCC0-8243-4007-A041-1B07C259967A} "= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{5940D0C5-A1DF-4B8D-9E5C-D2E328A5471E}c:\\program files\\internet explorer\\iexplore.exe "= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7E48C463-0773-47ED-9B7F-7C1577663774}c:\\program files\\internet explorer\\iexplore.exe "= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{CB059328-FD67-4A1D-BC05-2199DF54DDFA} "= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E28FD688-D26E-480D-99E0-307A3348C658} "= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{90E2DC63-4662-45E7-ACA4-7E4C775B68F6}c:\\programdata\\76018f2\\wi7601.exe "= UDP:c:\programdata\76018f2\wi7601.exe:Windows Protection Suite
"UDP Query User{FDBEEFAE-B41A-4FC1-B3EA-D91D8044B5EB}c:\\programdata\\76018f2\\wi7601.exe "= TCP:c:\programdata\76018f2\wi7601.exe:Windows Protection Suite

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1 "= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe "= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe "= c:\program files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch

"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe "= c:\program files\ExamSoft\SofTest.exe:*:Enabled:SofTest

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070821.001\IDSvix86.sys [8/23/2007 6:39 AM 212280]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 lxbv_device;lxbv_device;c:\windows\system32\lxbvcoms.exe -service --> c:\windows\system32\lxbvcoms.exe -service [?]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/15/2007 7:56 PM 112688]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 11:32 PM 38200]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [11/2/2006 5:25 AM 16896]
S2 gupdate1c98d34b0167f50;Google Update Service (gupdate1c98d34b0167f50);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2009 12:09 PM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [9/13/2009 12:35 PM 38224]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [8/28/2009 4:15 PM 582424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-12 05:11]

2009-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 17:09]

2009-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 17:09]

2009-09-21 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]

2009-09-23 c:\windows\Tasks\User_Feed_Synchronization-{41D2D7CD-F45F-4EAD-A755-7D5D81CE66B7}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2009-09-23 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-08-28 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
Trusted Zone: google.com\mail
FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\vh46ke0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.allow_platform_file_picker ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.remoteLookups ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.updateURL ", "http://sb.google.com/safebrowsing/update?client={moz:client}&mozver={moz:version}-{moz:buildid}& ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.lookupURL ", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&mozver={moz:version}-{moz:buildid}& ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.reportURL ", "http://sb.google.com/safebrowsing/report? ");
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 11:27
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@= "c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker3 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
Completion time: 2009-09-23 11:32
ComboFix-quarantined-files.txt 2009-09-23 16:32

Pre-Run: 93,153,472,512 bytes free
Post-Run: 94,933,716,992 bytes free

334

broni · 2009/09/30

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\hymt.drv
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\FW.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\ddv.exe
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.drv
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\grid.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\eb.exe
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\std.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\eb.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\exec.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.exe
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\exec.exe
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\ppal.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\fix.dll
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\std.drv
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\pal.sys
c:\users\owner\AppData\Roaming\Microsoft\Windows\Recent\cb.dll


Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Log in or Sign up

Active Google Redirect

jbsather Inactive Thread Starter

broni Moderator Malware Analyst

jbsather Inactive Thread Starter

broni Moderator Malware Analyst

jbsather Inactive Thread Starter

broni Moderator Malware Analyst

jbsather Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Active Google Redirect

jbsather Inactive Thread Starter

broni Moderator Malware Analyst

jbsather Inactive Thread Starter

broni Moderator Malware Analyst

jbsather Inactive Thread Starter

broni Moderator Malware Analyst

jbsather Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches