Active Google redirect virus

Prainey · 2010/01/04

[Active] Google redirect virus

I seem to have the same google redirect that many others have experienced. I have tryed a couple things, but nothing seems to be picking up the virus. Here is the dds report. If I am missing anything, please just let me know and I can add it.

Thanks in advance for helping me try and diagnose/fix this very annoying virus!!

DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 18:07:24.62 on Mon 01/04/2010
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.1982.375 [GMT -5:00]

SP: Spyware Doctor *enabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\WerCon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\upgrade.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
C:\Program Files\Common Files\ParetoLogic\PLAVEngine\ScanningProcess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\ParetoLogic\PLAVEngine\ScanningProcess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: D: {231d0973-63ba-3201-b686-0518ecc708ea} - c:\windows\system32\ov99114.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\program files\hp\smart web printing\hpswp_framework.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
uRun: [AROReminder] c:\program files\advanced registry optimizer\ARO.exe -rem
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe "
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [ParetoLogic Anti-Virus PLUS] "c:\program files\paretologic\anti-virus plus\Pareto_AV.lnk" -NM -hidesplash
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\INetHTTPFilter.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-20 40840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-20 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-20 81288]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-4 1153368]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-20 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-20 1079176]
R2 ZeppelinService;plasservice;c:\program files\common files\paretologic\plas\plasservice.exe [2009-2-18 587216]
S2 EraserSvc10824;Symantec Eraser Service; "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]

=============== Created Last 30 ================

2010-01-04 22:28:42 0 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-04 22:28:42 0 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-04 22:18:59 0 d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2010-01-04 22:18:59 0 d-----w- c:\programdata\ParetoLogic
2010-01-04 22:18:59 0 d-----w- c:\program files\ParetoLogic
2010-01-04 22:18:59 0 d-----w- c:\program files\common files\ParetoLogic
2010-01-04 21:42:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 21:42:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 20:47:39 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-04 20:47:39 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 19:17:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-31 01:44:16 0 d-----w- c:\users\user\appdata\roaming\Sammsoft
2009-12-24 20:11:50 0 d-----w- c:\programdata\WindowsSearch
2009-12-21 20:42:32 233472 ----a-w- c:\windows\system32\ov99114.dll
2009-12-18 04:45:20 0 d-----w- c:\users\user\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-12-18 04:40:34 0 d-----w- c:\programdata\McAfee
2009-12-17 02:40:18 0 d-----w- c:\programdata\Norton
2009-12-17 02:40:17 0 d-----w- c:\programdata\NortonInstaller
2009-12-16 23:39:30 0 d-----w- c:\windows\system32\Adobe
2009-12-16 23:30:12 0 d-----w- c:\programdata\McAfee Security Scan
2009-12-13 14:12:05 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-12-13 14:12:05 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-12-13 14:12:02 147456 ----a-w- c:\windows\system32\Faultrep.dll
2009-12-13 14:12:02 125952 ----a-w- c:\windows\system32\wersvc.dll
2009-12-13 14:12:00 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-12-13 14:12:00 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2009-12-13 14:12:00 45056 ----a-w- c:\windows\system32\dataclen.dll
2009-12-13 14:12:00 36864 ----a-w- c:\windows\system32\cdd.dll
2009-12-13 14:12:00 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-12-13 14:11:56 90112 ----a-w- c:\windows\system32\wshext.dll
2009-12-13 14:11:56 155648 ----a-w- c:\windows\system32\wscript.exe
2009-12-13 14:11:56 135168 ----a-w- c:\windows\system32\wshom.ocx
2009-12-13 14:11:55 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-12-13 14:11:55 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-12-13 14:11:55 135168 ----a-w- c:\windows\system32\cscript.exe
2009-12-12 20:34:17 0 d-----w- C:\PerfLogs
2009-12-12 19:21:14 0 d-----w- C:\Poker Application
2009-12-12 02:26:39 0 d-----w- c:\users\user\appdata\roaming\Malwarebytes
2009-12-12 02:26:32 0 d-----w- c:\programdata\Malwarebytes
2009-12-12 02:26:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 22:50:58 0 d-----w- c:\users\user\appdata\roaming\UB
2009-12-10 08:05:52 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 08:05:44 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 08:05:44 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 20:28:15 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 12:52:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-09 12:52:41 244224 ----a-w- c:\windows\system32\rastls.dll

==================== Find3M ====================

2010-01-04 21:07:47 102856 ----a-w- c:\programdata\nvModes.dat
2009-12-12 20:46:48 174 --sha-w- c:\program files\desktop.ini
2009-12-12 20:43:05 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-12 20:43:04 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-12 20:43:04 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-12 20:34:13 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-12 20:15:03 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-12-12 20:14:58 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:40:20 10240 ----a-w- c:\windows\system32\ctfmon_xu.exe
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41:23 2048 ----a-w- c:\windows\system32\tzres.dll
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:13:29.73 ===============

broni · 2010/01/04

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

==============================================================

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

Prainey · 2010/01/05

This is the security information. I am getting ready to run the combofix, and will post those results ASAP. Thanks!!

Results of screen317's Security Check version 0.99.1
Windows Vista Service Pack 1 (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Spyware Doctor 6.0
Spybot - Search & Destroy
Java(TM) 6 Update 2
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Prainey · 2010/01/05

Here is the log for the Combofix:

ComboFix 10-01-04.01 - User 01/05/2010 15:11:49.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1125 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Spyware Doctor *enabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3189446360-1793300219-4121722404-500
c:\$recycle.bin\S-1-5-21-747642811-3982433225-4087218088-500
c:\program files\Antivirus 2009
c:\windows\system32\ctfmon_xu.exe
c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 20:30 . 2010-01-05 20:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-04 22:30 . 2010-01-04 22:30 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-01-04 22:28 . 2010-01-05 20:30 1087776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-04 22:18 . 2010-01-05 22:38 -------- d-----w- c:\program files\ParetoLogic
2010-01-04 22:18 . 2010-01-05 22:25 -------- d-----w- c:\programdata\ParetoLogic
2010-01-04 22:18 . 2010-01-05 01:29 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-04 21:42 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 21:42 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 20:47 . 2010-01-05 22:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-04 20:47 . 2010-01-05 20:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-31 01:44 . 2009-12-31 01:44 -------- d-----w- c:\users\User\AppData\Roaming\Sammsoft
2009-12-24 20:13 . 2009-12-24 20:13 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-24 20:11 . 2009-12-24 20:11 -------- d-----w- c:\programdata\WindowsSearch
2009-12-21 20:42 . 2009-12-21 20:42 233472 ----a-w- c:\windows\system32\ov99114.dll
2009-12-18 05:13 . 2009-12-18 05:13 -------- d-----w- c:\users\User\AppData\Local\Mozilla
2009-12-18 04:46 . 2009-12-18 04:45 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 04:46 . 2009-12-18 04:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-18 04:45 . 2009-12-18 04:45 -------- d-----w- c:\users\User\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-12-18 04:40 . 2009-12-18 04:40 -------- d-----w- c:\programdata\McAfee
2009-12-17 02:40 . 2010-01-04 20:34 -------- d-----w- c:\programdata\Norton
2009-12-17 02:40 . 2009-12-17 02:40 -------- d-----w- c:\programdata\NortonInstaller
2009-12-16 23:39 . 2009-12-16 23:39 -------- d-----w- c:\windows\system32\Adobe
2009-12-16 23:30 . 2010-01-05 22:38 -------- d-----w- c:\programdata\McAfee Security Scan
2009-12-13 14:12 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-12-13 14:12 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-12-13 14:12 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2009-12-13 14:12 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2009-12-13 14:12 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2009-12-13 14:12 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-12-13 14:12 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2009-12-13 14:12 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2009-12-13 14:12 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-12-13 14:11 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2009-12-13 14:11 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2009-12-13 14:11 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-12-13 14:11 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-12-13 14:11 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2009-12-12 20:34 . 2009-12-12 20:34 -------- d-----w- C:\PerfLogs
2009-12-12 19:21 . 2009-12-12 19:22 -------- d-----w- C:\Poker Application
2009-12-12 02:26 . 2009-12-12 02:26 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-12-12 02:26 . 2010-01-05 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 02:26 . 2009-12-12 02:26 -------- d-----w- c:\programdata\Malwarebytes
2009-12-11 22:50 . 2009-12-11 22:50 -------- d-----w- c:\users\User\AppData\Roaming\UB
2009-12-10 08:05 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 08:05 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 08:05 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 20:28 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 12:52 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 12:52 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-07 01:22 . 2010-01-02 17:59 5603776 ----a-w- c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 22:36 . 2009-11-12 16:16 -------- d-----w- c:\program files\Canon
2010-01-05 22:35 . 2009-11-12 16:18 -------- d--h--w- c:\program files\CanonBJ
2010-01-05 19:59 . 2009-02-17 12:50 102856 ----a-w- c:\programdata\nvModes.dat
2010-01-05 01:17 . 2010-01-04 22:28 9008 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-04 20:34 . 2007-12-06 03:11 -------- d-----w- c:\programdata\Symantec
2010-01-04 20:32 . 2007-12-06 04:50 -------- d-----w- c:\program files\Sling Media
2010-01-04 20:32 . 2007-12-06 03:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 20:27 . 2008-10-26 20:56 -------- d-----w- c:\program files\Google
2010-01-02 17:59 . 2009-09-19 20:04 144160 ----a-w- c:\users\User\AppData\Roaming\Move Networks\uninstall.exe
2009-12-31 22:21 . 2007-12-06 03:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 19:17 . 2009-12-31 19:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-18 04:45 . 2009-01-10 01:45 38784 ----a-w- c:\users\User\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-12 20:34 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-12 20:15 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-12-12 20:14 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-12-12 19:24 . 2009-11-11 05:18 69632 ----a-w- c:\users\User\AppData\Roaming\UltimateBet\resources\resources\dylib\faswrap.dll
2009-12-10 08:08 . 2007-12-06 04:46 -------- d-----w- c:\programdata\Microsoft Help
2009-11-21 06:40 . 2009-12-09 20:26 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 20:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 20:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 20:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 22:35 . 2009-10-15 00:50 5642688 ----a-w- c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-11-12 16:24 . 2009-11-12 16:24 -------- d-----w- c:\program files\Common Files\CANON
2009-11-12 16:21 . 2009-11-12 16:21 -------- d--h--w- c:\programdata\CanonBJ
2009-11-11 05:18 . 2009-11-11 04:29 -------- d-----w- c:\users\User\AppData\Roaming\UltimateBet
2009-11-11 05:18 . 2009-11-11 05:18 185632 ----a-w- c:\users\User\AppData\Roaming\UltimateBet\resources\resources\dylib\stmocx.dll
2009-11-03 01:42 . 2009-10-03 15:12 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 16:11 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{231D0973-63BA-3201-B686-0518ECC708EA}]
2009-12-21 20:42 233472 ----a-w- c:\windows\System32\ov99114.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AROReminder "= "c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart "= "c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray "= "c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"CanonMyPrinter "= "c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu "= "c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"ParetoLogic Anti-Virus PLUS "= "c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" [2010-01-04 1974]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-02 00:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 16:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-12-04 07:42 13556256 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-12-04 07:42 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-12-04 07:42 711200 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 12:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 23:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [1/4/2010 3:47 PM 1153368]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/20/2008 3:30 AM 356920]
R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [2/18/2009 2:40 PM 587216]
S2 EraserSvc10824;Symantec Eraser Service; "c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]

2010-01-04 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 19:43]

2010-01-04 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2010-01-05 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\INetHTTPFilter.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-isCfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 15:30
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\WER5A21.tmp.version.txt 476 bytes
c:\windows\TEMP\WER5A31.tmp.appcompat.txt 61000 bytes
c:\windows\TEMP\WER5DAB.tmp.hdmp 184278 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3189446360-1793300219-4121722404-1000\¬ Ã®**]
@Allowed: (Read) (RestrictedCode)
"MachineID "=hex:4d,65,59,60,99,de,52,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
Completion time: 2010-01-05 15:38:19
ComboFix-quarantined-files.txt 2010-01-05 20:38

Pre-Run: 37,736,177,664 bytes free
Post-Run: 44,853,805,056 bytes free

- - End Of File - - B6F1A0EF1DDA91183AFE539E1569F240

Prainey · 2010/01/05

This one is for the HijackThis log......Thanks again!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:30 PM, on 1/5/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: D - {231D0973-63BA-3201-B686-0518ECC708EA} - C:\Windows\system32\ov99114.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Symantec Eraser Service (EraserSvc10824) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 9460 bytes

broni · 2010/01/05

You have several AV programs, either partially running, or showing some leftovers:
- ParetoLogic Anti-Virus PLUS - really not recommended program; if present in "Programs & Features ", please uninstall it
- Norton - download and run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
- McAfee - download and run McAfee Consumer Product Removal Tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml
You don't have any real AV program running, but we'll take care of it, when we're done with Combofix.

When you're done with the above, re-run Combofix and post fresh Combofix and HJT logs.

Prainey · 2010/01/06

OK, I did both the removals as indicated. Here is the combofix report:

ComboFix 10-01-04.01 - User 01/06/2010 12:17:03.2.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1210 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-06 17:32 . 2010-01-06 17:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-06 17:32 . 2010-01-06 17:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-05 22:24 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-05 22:24 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-05 22:24 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-01-05 22:24 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-05 22:24 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-05 22:24 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-05 22:21 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-05 22:21 . 2009-10-30 16:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-01-05 22:21 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-05 22:21 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-05 22:21 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-05 22:21 . 2010-01-05 22:24 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-05 22:21 . 2010-01-05 22:21 -------- d-----w- c:\users\User\AppData\Roaming\PC Tools
2010-01-05 22:21 . 2010-01-05 22:21 -------- d-----w- c:\programdata\PC Tools
2010-01-05 20:44 . 2010-01-05 20:44 -------- d-----w- c:\program files\Trend Micro
2010-01-04 22:30 . 2010-01-04 22:30 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-01-04 22:28 . 2010-01-06 16:54 1926432 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-04 22:18 . 2010-01-06 16:28 -------- d-----w- c:\programdata\ParetoLogic
2010-01-04 22:18 . 2010-01-06 16:28 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-04 21:42 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 21:42 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 20:47 . 2010-01-05 22:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-04 20:47 . 2010-01-05 20:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-31 01:44 . 2009-12-31 01:44 -------- d-----w- c:\users\User\AppData\Roaming\Sammsoft
2009-12-24 20:13 . 2009-12-24 20:13 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-24 20:11 . 2009-12-24 20:11 -------- d-----w- c:\programdata\WindowsSearch
2009-12-21 20:42 . 2009-12-21 20:42 233472 ----a-w- c:\windows\system32\ov99114.dll
2009-12-18 05:13 . 2009-12-18 05:13 -------- d-----w- c:\users\User\AppData\Local\Mozilla
2009-12-18 04:46 . 2009-12-18 04:45 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 04:46 . 2009-12-18 04:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-18 04:45 . 2009-12-18 04:45 -------- d-----w- c:\users\User\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-12-17 02:40 . 2010-01-04 20:34 -------- d-----w- c:\programdata\Norton
2009-12-17 02:40 . 2009-12-17 02:40 -------- d-----w- c:\programdata\NortonInstaller
2009-12-16 23:39 . 2009-12-16 23:39 -------- d-----w- c:\windows\system32\Adobe
2009-12-16 23:30 . 2010-01-05 22:38 -------- d-----w- c:\programdata\McAfee Security Scan
2009-12-13 14:12 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-12-13 14:12 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-12-13 14:12 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2009-12-13 14:12 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2009-12-13 14:12 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2009-12-13 14:12 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-12-13 14:12 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2009-12-13 14:12 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2009-12-13 14:12 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-12-13 14:11 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2009-12-13 14:11 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2009-12-13 14:11 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-12-13 14:11 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-12-13 14:11 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2009-12-12 20:34 . 2009-12-12 20:34 -------- d-----w- C:\PerfLogs
2009-12-12 19:21 . 2009-12-12 19:22 -------- d-----w- C:\Poker Application
2009-12-12 02:26 . 2009-12-12 02:26 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-12-12 02:26 . 2010-01-05 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 02:26 . 2009-12-12 02:26 -------- d-----w- c:\programdata\Malwarebytes
2009-12-11 22:50 . 2009-12-11 22:50 -------- d-----w- c:\users\User\AppData\Roaming\UB
2009-12-10 08:05 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 08:05 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 08:05 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 20:28 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 12:52 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 12:52 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 17:19 . 2008-12-20 08:30 -------- d-----w- c:\program files\Spyware Doctor
2010-01-06 16:54 . 2010-01-04 22:28 27920 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-06 16:24 . 2009-02-17 12:50 102856 ----a-w- c:\programdata\nvModes.dat
2010-01-05 22:36 . 2009-11-12 16:16 -------- d-----w- c:\program files\Canon
2010-01-05 22:35 . 2009-11-12 16:18 -------- d--h--w- c:\program files\CanonBJ
2010-01-04 20:32 . 2007-12-06 04:50 -------- d-----w- c:\program files\Sling Media
2010-01-04 20:32 . 2007-12-06 03:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 20:27 . 2008-10-26 20:56 -------- d-----w- c:\program files\Google
2010-01-02 17:59 . 2009-09-19 20:04 144160 ----a-w- c:\users\User\AppData\Roaming\Move Networks\uninstall.exe
2010-01-02 17:59 . 2009-12-07 01:22 5603776 ----a-w- c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2009-12-31 22:21 . 2007-12-06 03:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 19:17 . 2009-12-31 19:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-18 04:45 . 2009-01-10 01:45 38784 ----a-w- c:\users\User\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-12 20:34 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-12 20:15 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-12-12 20:14 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-12-12 19:24 . 2009-11-11 05:18 69632 ----a-w- c:\users\User\AppData\Roaming\UltimateBet\resources\resources\dylib\faswrap.dll
2009-12-10 08:08 . 2007-12-06 04:46 -------- d-----w- c:\programdata\Microsoft Help
2009-11-21 06:40 . 2009-12-09 20:26 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 20:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 20:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 20:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 22:35 . 2009-10-15 00:50 5642688 ----a-w- c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-11-12 16:24 . 2009-11-12 16:24 -------- d-----w- c:\program files\Common Files\CANON
2009-11-12 16:21 . 2009-11-12 16:21 -------- d--h--w- c:\programdata\CanonBJ
2009-11-11 05:18 . 2009-11-11 04:29 -------- d-----w- c:\users\User\AppData\Roaming\UltimateBet
2009-11-11 05:18 . 2009-11-11 05:18 185632 ----a-w- c:\users\User\AppData\Roaming\UltimateBet\resources\resources\dylib\stmocx.dll
2009-11-03 01:42 . 2009-10-03 15:12 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 16:11 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{231D0973-63BA-3201-B686-0518ECC708EA}]
2009-12-21 20:42 233472 ----a-w- c:\windows\System32\ov99114.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AROReminder "= "c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart "= "c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray "= "c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"CanonMyPrinter "= "c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu "= "c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-02 00:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 16:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-12-04 07:42 13556256 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-12-04 07:42 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-12-04 07:42 711200 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 12:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 23:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [1/5/2010 5:21 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/5/2010 5:24 PM 112592]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [1/4/2010 3:47 PM 1153368]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/20/2008 3:30 AM 359624]
S2 EraserSvc10824;Symantec Eraser Service; "c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 12:39
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3189446360-1793300219-4121722404-1000\¬ Ã®**]
@Allowed: (Read) (RestrictedCode)
"MachineID "=hex:4d,65,59,60,99,de,52,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5736)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2010-01-06 12:39:33
ComboFix-quarantined-files.txt 2010-01-06 17:38
ComboFix2.txt 2010-01-05 20:38

Pre-Run: 45,990,547,456 bytes free
Post-Run: 45,801,488,384 bytes free

- - End Of File - - 658E8AE5F605EB4E5662893E7B2DAF24

Prainey · 2010/01/06

And here is the HijackThis report. Thanks!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:30 PM, on 1/6/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\System32\alg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: D - {231D0973-63BA-3201-B686-0518ECC708EA} - C:\Windows\system32\ov99114.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Symantec Eraser Service (EraserSvc10824) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11071 bytes

broni · 2010/01/06

How is redirection issue?

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\ov99114.dll


Folder::
c:\programdata\ParetoLogic
c:\program files\Common Files\ParetoLogic
c:\programdata\Norton
c:\programdata\NortonInstaller
c:\programdata\McAfee Security Scan
c:\program files\Common Files\Symantec Shared


Driver::
EraserSvc10824


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{231D0973-63BA-3201-B686-0518ECC708EA}]


RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Prainey · 2010/01/07

I tried to download the xmlnotepad application, but it didn't work as described and the combofix kept stalling as a result.

Even though I have vista, i got all of the old microsoft programs installed by my work when I first got my computer. Thus, I have word, excel, etc, and am not familiar with notepad. Could this be the issue?

Hopefully, I am on the right track in explaining this. Thanks!

broni · 2010/01/07

You can't use xmlnotepad.
Windows Notepad is located at Start>All Programs>Accessories

Prainey · 2010/01/08

OK, thanks for the heads up on that. I can copy that file and do everything following step 1. I just don't have the option to do the first one, or don't know where it is. When I choose to run, or just click to open notepad, it just opens up to a blank document....

Click Start , then Run
Type notepad .exe in the Run Box.

broni · 2010/01/08

When I choose to run, or just click to open notepad, it just opens up to a blank document
Click to expand...

Yes, then you copy whatever you see in "code" box in my previous reply and paste it to blank Notepad window.

Prainey · 2010/01/11

Thanks. Everything ran successfully this time. Here is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:58 AM, on 1/11/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: D - {231D0973-63BA-3201-B686-0518ECC708EA} - C:\Windows\system32\ov99114.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Symantec Eraser Service (EraserSvc10824) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10871 bytes

Prainey · 2010/01/11

And here is the combofix log:

ComboFix 10-01-04.01 - User 01/11/2010 9:25.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1205 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-11 14:40 . 2010-01-11 14:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-11 14:40 . 2010-01-11 14:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-07 15:11 . 2010-01-07 15:11 -------- d-----w- c:\users\User\AppData\Local\Threat Expert
2010-01-05 22:24 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-05 22:24 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-05 22:24 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-01-05 22:24 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-05 22:24 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-05 22:24 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-05 22:21 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-05 22:21 . 2009-10-30 16:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-01-05 22:21 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-05 22:21 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-05 22:21 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-05 22:21 . 2010-01-05 22:24 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-05 22:21 . 2010-01-05 22:21 -------- d-----w- c:\users\User\AppData\Roaming\PC Tools
2010-01-05 22:21 . 2010-01-05 22:21 -------- d-----w- c:\programdata\PC Tools
2010-01-05 20:44 . 2010-01-05 20:44 -------- d-----w- c:\program files\Trend Micro
2010-01-04 22:30 . 2010-01-04 22:30 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-01-04 22:28 . 2010-01-06 16:54 1926432 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-04 22:18 . 2010-01-06 16:28 -------- d-----w- c:\programdata\ParetoLogic
2010-01-04 22:18 . 2010-01-06 16:28 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-04 20:47 . 2010-01-05 22:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-04 20:47 . 2010-01-05 20:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-31 01:44 . 2009-12-31 01:44 -------- d-----w- c:\users\User\AppData\Roaming\Sammsoft
2009-12-24 20:13 . 2009-12-24 20:13 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-24 20:11 . 2009-12-24 20:11 -------- d-----w- c:\programdata\WindowsSearch
2009-12-21 20:42 . 2009-12-21 20:42 233472 ----a-w- c:\windows\system32\ov99114.dll
2009-12-18 05:13 . 2009-12-18 05:13 -------- d-----w- c:\users\User\AppData\Local\Mozilla
2009-12-18 04:46 . 2009-12-18 04:45 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 04:46 . 2009-12-18 04:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-18 04:45 . 2009-12-18 04:45 -------- d-----w- c:\users\User\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-12-17 02:40 . 2010-01-04 20:34 -------- d-----w- c:\programdata\Norton
2009-12-17 02:40 . 2009-12-17 02:40 -------- d-----w- c:\programdata\NortonInstaller
2009-12-16 23:39 . 2009-12-16 23:39 -------- d-----w- c:\windows\system32\Adobe
2009-12-16 23:30 . 2010-01-05 22:38 -------- d-----w- c:\programdata\McAfee Security Scan
2009-12-13 14:12 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-12-13 14:12 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-12-13 14:12 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2009-12-13 14:12 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2009-12-13 14:12 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2009-12-13 14:12 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-12-13 14:12 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2009-12-13 14:12 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2009-12-13 14:12 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-12-13 14:11 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2009-12-13 14:11 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2009-12-13 14:11 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2009-12-13 14:11 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2009-12-13 14:11 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2009-12-12 20:34 . 2009-12-12 20:34 -------- d-----w- C:\PerfLogs
2009-12-12 19:21 . 2009-12-12 19:22 -------- d-----w- C:\Poker Application

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 14:25 . 2008-12-20 08:30 -------- d-----w- c:\program files\Spyware Doctor
2010-01-11 14:19 . 2009-12-12 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 23:25 . 2009-02-17 12:50 102856 ----a-w- c:\programdata\nvModes.dat
2010-01-06 16:54 . 2010-01-04 22:28 27920 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-05 22:36 . 2009-11-12 16:16 -------- d-----w- c:\program files\Canon
2010-01-05 22:35 . 2009-11-12 16:18 -------- d--h--w- c:\program files\CanonBJ
2010-01-04 20:32 . 2007-12-06 04:50 -------- d-----w- c:\program files\Sling Media
2010-01-04 20:32 . 2007-12-06 03:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 20:27 . 2008-10-26 20:56 -------- d-----w- c:\program files\Google
2010-01-02 17:59 . 2009-09-19 20:04 144160 ----a-w- c:\users\User\AppData\Roaming\Move Networks\uninstall.exe
2010-01-02 17:59 . 2009-12-07 01:22 5603776 ----a-w- c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2009-12-31 22:21 . 2007-12-06 03:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 19:17 . 2009-12-31 19:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-18 04:45 . 2009-01-10 01:45 38784 ----a-w- c:\users\User\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-12 20:34 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-12 20:15 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-12-12 20:14 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-12-12 19:24 . 2009-11-11 05:18 69632 ----a-w- c:\users\User\AppData\Roaming\UltimateBet\resources\resources\dylib\faswrap.dll
2009-12-12 02:26 . 2009-12-12 02:26 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-12-12 02:26 . 2009-12-12 02:26 -------- d-----w- c:\programdata\Malwarebytes
2009-12-11 22:50 . 2009-12-11 22:50 -------- d-----w- c:\users\User\AppData\Roaming\UB
2009-12-10 08:08 . 2007-12-06 04:46 -------- d-----w- c:\programdata\Microsoft Help
2009-11-21 06:40 . 2009-12-09 20:26 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 20:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 20:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 20:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 22:35 . 2009-10-15 00:50 5642688 ----a-w- c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-11-12 16:24 . 2009-11-12 16:24 -------- d-----w- c:\program files\Common Files\CANON
2009-11-12 16:21 . 2009-11-12 16:21 -------- d--h--w- c:\programdata\CanonBJ
2009-11-11 05:18 . 2009-11-11 05:18 185632 ----a-w- c:\users\User\AppData\Roaming\UltimateBet\resources\resources\dylib\stmocx.dll
2009-11-09 13:22 . 2009-12-10 08:05 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:20 . 2009-12-10 08:05 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:04 . 2009-12-10 08:05 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 01:42 . 2009-10-03 15:12 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 16:11 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{231D0973-63BA-3201-B686-0518ECC708EA}]
2009-12-21 20:42 233472 ----a-w- c:\windows\System32\ov99114.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AROReminder "= "c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart "= "c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray "= "c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"CanonMyPrinter "= "c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu "= "c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-02 00:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 16:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-12-04 07:42 13556256 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-12-04 07:42 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-12-04 07:42 711200 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 12:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 23:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [1/5/2010 5:21 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/5/2010 5:24 PM 112592]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [1/4/2010 3:47 PM 1153368]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/20/2008 3:30 AM 359624]
S2 EraserSvc10824;Symantec Eraser Service; "c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3189446360-1793300219-4121722404-1000\¬ Ã®**]
@Allowed: (Read) (RestrictedCode)
"MachineID "=hex:4d,65,59,60,99,de,52,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2904)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2010-01-11 09:46:29
ComboFix-quarantined-files.txt 2010-01-11 14:46
ComboFix2.txt 2010-01-06 17:39
ComboFix3.txt 2010-01-05 20:38

Pre-Run: 50,426,085,376 bytes free
Post-Run: 50,410,332,160 bytes free

- - End Of File - - 3086D63EA861ADA757C6689F580A3CB3

broni · 2010/01/11

I don't think, you did it correctly, because all those entries are still there.
Did you?

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Click to expand...

Try to re-read my instructions from my reply #9 and do it again.

Prainey · 2010/01/12

OK, hopefully it ran correctly this time:

ComboFix 10-01-11.04 - User 01/12/2010 13:01:07.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1112 [GMT -5:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\ov99114.dll "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\ParetoLogic
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
c:\programdata\McAfee Security Scan
c:\programdata\McAfee Security Scan\ftstate.ini
c:\programdata\Norton
c:\programdata\Norton\symdata.xml
c:\programdata\NortonInstaller
c:\programdata\NortonInstaller\Logs\01-04-2010-15h33m58s\Install.1.mft.7z
c:\programdata\NortonInstaller\Logs\01-04-2010-15h33m58s\NortonInstall-01-04-2010-15h33m58s.log
c:\programdata\NortonInstaller\Logs\01-04-2010-15h34m20s\NortonInstall-01-04-2010-15h34m20s.log
c:\programdata\NortonInstaller\Logs\12-16-2009-21h40m16s\Install.1.mft.7z
c:\programdata\NortonInstaller\Logs\12-16-2009-21h40m16s\NortonInstall-12-16-2009-21h40m16s.log
c:\programdata\ParetoLogic
c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
c:\windows\system32\ov99114.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Apple Mobile Device
-------\Service_EraserSvc10824

((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-12 18:15 . 2010-01-12 18:15 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-12 18:15 . 2010-01-12 18:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-07 15:11 . 2010-01-07 15:11 -------- d-----w- c:\users\User\AppData\Local\Threat Expert
2010-01-05 22:24 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-05 22:24 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-05 22:24 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-01-05 22:24 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-05 22:24 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-05 22:24 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-05 22:21 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-05 22:21 . 2009-10-30 16:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-01-05 22:21 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-05 22:21 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-05 22:21 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-05 22:21 . 2010-01-05 22:24 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-05 22:21 . 2010-01-05 22:21 -------- d-----w- c:\users\User\AppData\Roaming\PC Tools
2010-01-05 22:21 . 2010-01-05 22:21 -------- d-----w- c:\programdata\PC Tools
2010-01-05 20:44 . 2010-01-05 20:44 -------- d-----w- c:\program files\Trend Micro
2010-01-04 22:28 . 2010-01-06 16:54 1926432 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-04 20:47 . 2010-01-05 22:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-04 20:47 . 2010-01-05 20:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-31 01:44 . 2009-12-31 01:44 -------- d-----w- c:\users\User\AppData\Roaming\Sammsoft
2009-12-24 20:11 . 2009-12-24 20:11 -------- d-----w- c:\programdata\WindowsSearch
2009-12-18 05:13 . 2009-12-18 05:13 -------- d-----w- c:\users\User\AppData\Local\Mozilla
2009-12-18 04:46 . 2009-12-18 04:46 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-18 04:45 . 2009-12-18 04:45 -------- d-----w- c:\users\User\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-12-16 23:39 . 2009-12-16 23:39 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 18:24 . 2008-12-20 08:30 -------- d-----w- c:\program files\Spyware Doctor
2010-01-11 19:16 . 2009-02-17 12:50 102856 ----a-w- c:\programdata\nvModes.dat
2010-01-11 14:19 . 2009-12-12 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 16:54 . 2010-01-04 22:28 27920 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-05 22:36 . 2009-11-12 16:16 -------- d-----w- c:\program files\Canon
2010-01-05 22:35 . 2009-11-12 16:18 -------- d--h--w- c:\program files\CanonBJ
2010-01-04 20:32 . 2007-12-06 04:50 -------- d-----w- c:\program files\Sling Media
2010-01-04 20:32 . 2007-12-06 03:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 20:27 . 2008-10-26 20:56 -------- d-----w- c:\program files\Google
2010-01-02 17:59 . 2009-09-19 20:04 144160 ----a-w- c:\users\User\AppData\Roaming\Move Networks\uninstall.exe
2010-01-02 17:59 . 2009-12-07 01:22 5603776 ----a-w- c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
2009-12-31 19:17 . 2009-12-31 19:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-24 20:13 . 2009-12-24 20:13 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-18 04:45 . 2009-12-18 04:46 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-18 04:45 . 2009-01-10 01:45 38784 ----a-w- c:\users\User\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-12 20:15 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-12-12 20:14 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-12-12 19:24 . 2009-11-11 05:18 69632 ----a-w- c:\users\User\AppData\Roaming\UltimateBet\resources\resources\dylib\faswrap.dll
2009-12-12 02:26 . 2009-12-12 02:26 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-12-12 02:26 . 2009-12-12 02:26 -------- d-----w- c:\programdata\Malwarebytes
2009-12-11 22:50 . 2009-12-11 22:50 -------- d-----w- c:\users\User\AppData\Roaming\UB
2009-12-10 08:08 . 2007-12-06 04:46 -------- d-----w- c:\programdata\Microsoft Help
2009-11-21 06:40 . 2009-12-09 20:26 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 20:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 20:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 20:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 22:35 . 2009-10-15 00:50 5642688 ----a-w- c:\users\User\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2009-11-11 05:18 . 2009-11-11 05:18 185632 ----a-w- c:\users\User\AppData\Roaming\UltimateBet\resources\resources\dylib\stmocx.dll
2009-11-09 13:22 . 2009-12-10 08:05 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:20 . 2009-12-10 08:05 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:04 . 2009-12-10 08:05 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 01:42 . 2009-10-03 15:12 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 16:11 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AROReminder "= "c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart "= "c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray "= "c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"CanonMyPrinter "= "c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu "= "c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-10-02 00:10 1783136 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 16:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-12-04 07:42 13556256 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-12-04 07:42 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-12-04 07:42 711200 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 21:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 22:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 03:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 12:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 23:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [1/5/2010 5:21 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/5/2010 5:24 PM 112592]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [1/4/2010 3:47 PM 1153368]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/20/2008 3:30 AM 359624]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3189446360-1793300219-4121722404-1000\¬ Ã®**]
@Allowed: (Read) (RestrictedCode)
"MachineID "=hex:4d,65,59,60,99,de,52,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2580)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\WerCon.exe
.
**************************************************************************
.
Completion time: 2010-01-12 13:32:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 18:32
ComboFix2.txt 2010-01-11 14:46
ComboFix3.txt 2010-01-06 17:39
ComboFix4.txt 2010-01-05 20:38

Pre-Run: 49,504,194,560 bytes free
Post-Run: 49,076,994,048 bytes free

- - End Of File - - 36557D8538AC1E70AB8B83BB25F6C388

broni · 2010/01/12

Very good

How is redirection issue?

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Restart computer.

Prainey · 2010/01/12

Redirection issue is still the same. It is worse with google than yahoo. Both of which will take you to a redirected site if you click on any of the search results. I have found that if you refresh a couple times, most of the time you will get to where you are suppose to.

One thing that has gotten better is that up until a couple days ago, explorer was very slow and even shutting down occasionally. I would pretty much have to restart my computer, and the explorer icon would blink as if it was closing down multiple sessions (even though none were open). Luckily all of this has subsided, and explorer seems to be working fine now.

Thanks again for all the help with this!

broni · 2010/01/12

You're welcome

Download Kenco.exe to your desktop

Close all windows and run the program.

It wont take long to run.

Kenco will reboot the system if it finds anything.

Post the log it gives you ( it will be saved in the same place as Kenco.exe).

Log in or Sign up

Active Google redirect virus

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

Prainey Inactive Thread Starter

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Active Google redirect virus

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

Prainey Inactive Thread Starter

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Prainey Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches