Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Internet Searches being redirected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Internet Searches being redirected

Unread postby RichPhillips » August 8th, 2010, 1:09 pm

My internet explorer searches are being redirected. I have tried several malware products to remove the malware, but it retruns after rebooting. Please help me on this one. Thanks

HiJackThis and uninstall logs follow:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:52:59 PM, on 8/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Garmin\MyGarminAgent\MyGarminAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyGarminAgent] C:\Program Files\Garmin\MyGarminAgent\MyGarminAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020 (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Custo ... anager.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3846155359
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3846145812
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDow ... rtScan.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9c6d239efcdfe) (gupdate1c9c6d239efcdfe) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 12556 bytes


123 Free Solitaire 2009 v7.0
32 Bit HP CIO Components Installer
5 Card Slingo from Hewlett-Packard Laptops (remove only)
Acrobat.com
Acrobat.com
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player
Any Video Converter 3.0.4
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
Bejeweled 2 Deluxe from Hewlett-Packard Laptops (remove only)
Big Kahuna Reef from Hewlett-Packard Laptops (remove only)
Blackhawk Striker 2 from Hewlett-Packard Laptops (remove only)
Blasterball 2 from Hewlett-Packard Laptops (remove only)
Boggle Supreme from Hewlett-Packard Laptops (remove only)
Bonjour
Books That Work DECK version 3.0
Bookworm Deluxe from Hewlett-Packard Laptops (remove only)
Bounce Symphony from Hewlett-Packard Laptops (remove only)
Broadcom 802.11 Wireless LAN Adapter
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon PowerShot A40 WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RAW Image Converter
Canon Utilities RemoteCapture 2.2
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Catan Online World
CCleaner
Chuzzle Deluxe from Hewlett-Packard Laptops (remove only)
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
Conexant HD Audio
Coupon Printer for Windows
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Crystal Maze from Hewlett-Packard Laptops (remove only)
Customer Experience Enhancement
DDX DWF Support
DDXGDIRenderer
DDXSheetSets
DDXViewX
Diskeeper Professional Premier Edition
DivX
DivX Web Player
Documents To Go
DVD Flick 1.3.0.7
DWGDirectX Core
Easy Internet Sign-up
ESPNMotion
eXPert PDF V3
FATE from Hewlett-Packard Laptops (remove only)
FileZilla Client 3.2.8.1
Final Drive Nitro from Hewlett-Packard Laptops (remove only)
Flip Words from Hewlett-Packard Laptops (remove only)
Free Easy Burner V 4.0
Garmin Communicator Plugin with myGarmin Agent
Garmin POI Loader
Garmin USB Drivers
GemMaster Mystic
Glary Utilities 2.26.0.956
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
GrandPrix Race Manager Report Viewer v6
GrandPrix Race Manager v6
Hallmark Card Studio Express
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB922120-v6)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP BatteryCheck 1.00 A7
HP Document Manager 1.0
HP Driver Diagnostics
HP Game Console and games
HP Help and Support
HP Imaging Device Functions 10.0
HP Officejet All-In-One Series
HP Pavilion Webcam Demo
HP Pavilion Webcam Tray Icon
HP Photosmart Essential 2.5
HP Photosmart Premier Software 6.0
HP Print Diagnostic Utility
HP Product Detection
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP Rhapsody
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HP User Guides 0032
HP Webcam
HP Wireless Assistant
iGrafx 2005
iGrafx Professional/Process Download Evaluation Edition
Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only)
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 21
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Jewel Quest from Hewlett-Packard Laptops (remove only)
LDS Library 2009
LDS Scriptures CD-ROM Resource Edition
Lemonade Tycoon 2 from Hewlett-Packard Laptops (remove only)
Lexibox Deluxe from Hewlett-Packard Laptops (remove only)
Lotus Notes
Lotus Notes 6.5.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Mah Jong Quest from Hewlett-Packard Laptops (remove only)
MapSource - U.S. Roads & Recreation v3.03
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft PhotoDraw 2000
Microsoft Project 2000 SR-1
Microsoft Silverlight
Microsoft Streets and Trips 2005
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MicroWizard Fast Track Utility
MobileMe Control Panel
MP3 Player Utilities 1.47
MP3 Player Utilities 4.15
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
muvee autoProducer 5.0
NetWaiting
NVIDIA Drivers
Oasis from Hewlett-Packard Laptops (remove only)
OCR Software by I.R.I.S. 10.0
Office 2003 Trial Assistant
Otto
Palm Desktop by ACCESS
Paragon Drive Copy 8.0 Personal Special Edition
PDFCreator
PDFExport
Personal Ancestral File 5
Polar Bowler from Hewlett-Packard Laptops (remove only)
Polar Golfer from Hewlett-Packard Laptops (remove only)
Puzzle Express from Hewlett-Packard Laptops (remove only)
Quicken Deluxe 98
QuickTime
RadioShack USB to Serial Cable
RealPlayer
RealUpgrade 1.0
Registry Mechanic 5.0
Rhapsody
Rhapsody Player Engine
SCRABBLE from Hewlett-Packard Laptops (remove only)
ScreenPrint32 v3.5
Search Settings v1.2.3
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Slingo Deluxe from Hewlett-Packard Laptops (remove only)
Slyder from Hewlett-Packard Laptops (remove only)
Snowboard SuperJam
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SonicAC3Encoder
SonicMPEGEncoder
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Super Granny from Hewlett-Packard Laptops (remove only)
SVGExport
Synaptics Pointing Device Driver
System Requirements Lab
T7350 Simulator
TourSetup
Tradewinds from Hewlett-Packard Laptops (remove only)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.1
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Driver Package - usbvm326 (usbvm328) Image (10/12/2006 326.1.061012.25)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinZip
Wireless Home Network Setup
Xvid 1.1.2 final uninstall
Yahoo! Toolbar for Internet Explorer
Zoom ADSL Modem
Zoom ADSL Modem
Zuma Deluxe from Hewlett-Packard Laptops (remove only)
RichPhillips
Active Member
 
Posts: 7
Joined: August 8th, 2010, 1:00 pm
Advertisement
Register to Remove

Re: Internet Searches being redirected

Unread postby askey127 » August 10th, 2010, 4:09 pm

Hi RichPhillips,
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
Ad-Aware
Coupon Printer for Windows
Customer Experience Enhancement
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Registry Mechanic 5.0
Spybot - Search & Destroy 1.5.2.20

Take extra care in answering questions posed by any Uninstaller. You can re-install a new version Spybot after we are done, if you wish.
-----------------------------------------------------------
REBOOT(RESTART) Your Machine
-----------------------------------------------
Download MBRCheck by a_d_13 from here and save it to your Desktop.

  • Double click MBRCheck.exe
  • A black command type window will open
  • After a short while, a text file will appear on your desktop named MBRCheck_Date_Time.txt
  • Press 'N' on your keyboard , then press 'enter' to close the window.
  • Copy/paste the contents of MBRCheck_Date_Time.txt in your next reply
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

So we are looking for the log from MBRCheck and the log from Gmer.
Use separate posts if you prefer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Internet Searches being redirected

Unread postby RichPhillips » August 11th, 2010, 5:37 pm

Thanks for the advice. I used HiJackThis and control panel to remove the items you spec'd. I ran MBRCheck and the file will follow the text of this message. I tried to run GMER. I will send the partial list that I have. The first time I ran it, the program slowed to a crawl when it was in the registry...like it was out of resources. I stopped the scan and saved the file. I rebooted and ran gmer with only the registry, files and ADS checked. I got a blue screen error. I think it made it thru the registry before the error. Tried again and got the same result. Let me know the next steps. Thanks

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 150):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7497000 ohci1394.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 aliide.sys
0xF798D000 viaide.sys
0xF798F000 intelide.sys
0xF7329000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF730A000 ftdisk.sys
0xF7991000 dmload.sys
0xF72E4000 dmio.sys
0xF78A3000 ACPIEC.SYS
0xF7A50000 \WINDOWS\SYSTEM32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF78A7000 hotcore.sys
0xF74C7000 VolSnap.sys
0xF72CC000 atapi.sys
0xF72B3000 nvata.sys
0xF729A000 nvatabus.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF727A000 fltmgr.sys
0xF7268000 sr.sys
0xF7717000 PxHelp20.sys
0xF7251000 KSecDD.sys
0xF71C4000 Ntfs.sys
0xF7197000 NDIS.sys
0xF74F7000 Serial.sys
0xF717D000 Mup.sys
0xF7527000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF793F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7947000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xF7537000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF780F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF794F000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF702E000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF6CA7000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6C93000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF796B000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0xF7877000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6C6F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7747000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7547000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7557000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7567000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6C4C000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7577000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF6C38000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF77B7000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF7587000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF6BEC000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF6B9C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7139000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF6B51000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF6B1A000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xF7597000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF779F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6AE5000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF799D000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7AD5000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7933000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6ACE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75B7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF75C7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF783F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6ABD000 \SystemRoot\system32\DRIVERS\psched.sys
0xF75D7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7867000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF787F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF69ED000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF75E7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79A7000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF698F000 \SystemRoot\system32\DRIVERS\update.sys
0xF7103000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF794B000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF75F7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7607000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7617000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF4812000 \SystemRoot\system32\drivers\CHDAud.sys
0xF47C6000 \SystemRoot\system32\drivers\portcls.sys
0xF7637000 \SystemRoot\system32\drivers\drmk.sys
0xF4792000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xF46A0000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF45ED000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF776F000 \SystemRoot\System32\Drivers\Modem.SYS
0xF47FA000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79B7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B34000 \SystemRoot\System32\Drivers\Null.SYS
0xF79BB000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77CF000 \SystemRoot\System32\drivers\vga.sys
0xF79BF000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79C3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77DF000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77F7000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF47F2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF4592000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF4539000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF44FF000 \SystemRoot\System32\Drivers\avgtdix.sys
0xF44D9000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7687000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF44B1000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF448F000 \SystemRoot\System32\drivers\afd.sys
0xF7697000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF79CB000 \SystemRoot\system32\DRIVERS\eabfiltr.sys
0xF43C4000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF4354000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76A7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7827000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xF4320000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF42D4000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF42BB000 \SystemRoot\System32\Drivers\dump_nvata.sys
0xF79E1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF45CD000 \SystemRoot\System32\drivers\Dxapi.sys
0xF786F000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xF7ADB000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D6000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB9ED7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF7647000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xB9CB6000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9E3B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB93DD000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB9C2B000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7847000 \SystemRoot\System32\Drivers\DLPortIO.SYS
0xB8174000 \SystemRoot\System32\Drivers\HTTP.sys
0xB762E000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7A29000 \SystemRoot\System32\Drivers\MCSTRM.SYS
0xB7373000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB7354000 \??\C:\WINDOWS\system32\drivers\mqac.sys
0xB7232000 \??\C:\WINDOWS\system32\drivers\RMCast.sys
0xB71F2000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
0xB6FF5000 \??\C:\Program Files\HP\QuickPlay\000.fcl
0xB6901000 \SystemRoot\system32\DRIVERS\serscan.sys
0xB4BE1000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 69):
0 System Idle Process
4 System
816 C:\WINDOWS\system32\smss.exe
864 csrss.exe
892 C:\WINDOWS\system32\winlogon.exe
936 C:\WINDOWS\system32\services.exe
948 C:\WINDOWS\system32\lsass.exe
1120 C:\WINDOWS\system32\svchost.exe
1184 svchost.exe
1236 C:\WINDOWS\system32\svchost.exe
1476 svchost.exe
1532 svchost.exe
1796 C:\WINDOWS\system32\spoolsv.exe
300 C:\WINDOWS\explorer.exe
672 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
708 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
728 svchost.exe
844 C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
996 msdtc.exe
1312 C:\PROGRA~1\AVG\AVG9\avgtray.exe
1420 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1448 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1624 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
1668 C:\WINDOWS\system32\ctfmon.exe
1732 C:\Program Files\Windows Media Player\wmpnscfg.exe
1864 C:\WINDOWS\ehome\ehrecvr.exe
1956 C:\Program Files\AVG\AVG9\avgnsx.exe
220 C:\WINDOWS\ehome\ehSched.exe
328 C:\WINDOWS\system32\svchost.exe
588 C:\Program Files\palmOne\Hotsync.exe
1232 C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
1592 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
1968 C:\WINDOWS\system32\svchost.exe
2072 C:\Program Files\Java\jre6\bin\jqs.exe
2092 C:\Program Files\AVG\AVG9\avgchsvx.exe
2088 C:\Program Files\AVG\AVG9\avgrsx.exe
2324 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2340 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2344 C:\Program Files\Microsoft Office\Office10\MSOFFICE.EXE
2488 C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
2792 naPrdMgr.exe
2784 C:\Program Files\Common Files\Motive\McciCMService.exe
2852 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
2924 C:\Program Files\lotus\notes\ntmulti.exe
3092 C:\WINDOWS\system32\svchost.exe
3132 C:\WINDOWS\system32\nvsvc32.exe
3144 C:\WINDOWS\system32\svchost.exe
3196 svchost.exe
3208 C:\WINDOWS\system32\svchost.exe
3616 C:\WINDOWS\system32\searchindexer.exe
3748 C:\Program Files\Canon\CAL\CALMAIN.exe
3768 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
3816 mcrdsvc.exe
3880 C:\WINDOWS\system32\mqsvc.exe
3936 wmpnetwk.exe
1432 C:\WINDOWS\system32\mqtgsvc.exe
2272 C:\WINDOWS\system32\wscntfy.exe
3260 C:\Program Files\AVG\AVG9\avgscanx.exe
3280 C:\Program Files\AVG\AVG9\avgcsrvx.exe
4152 C:\WINDOWS\system32\svchost.exe
4232 wmiprvse.exe
4376 C:\WINDOWS\system32\dllhost.exe
4848 alg.exe
5572 C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
5120 C:\WINDOWS\system32\searchprotocolhost.exe
4740 searchfilterhost.exe
4996 C:\WINDOWS\system32\searchprotocolhost.exe
5180 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
5676 C:\Documents and Settings\Rich Phillips\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000014`2afac600 (FAT32)

PhysicalDrive0 Model Number: HTS541010G9SA00, Rev: MBZOC60P

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F19F100B4DC860880BDC331CC9D56B1C13F605D5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-11 15:36:09
Windows 5.1.2600 Service Pack 3
Running: lxjv9s3z.exe; Driver: C:\DOCUME~1\RICHPH~1\LOCALS~1\Temp\ufxcypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6CA7360, 0x22698D, 0xE8000020]
C:\Program Files\HP\QuickPlay\000.fcl entry point in "" section [0xB74D6000]
.clc C:\Program Files\HP\QuickPlay\000.fcl unknown last section [0xB74D7000, 0x1000, 0x00000000]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[288] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\WINDOWS\system32\SearchIndexer.exe[3704] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
RichPhillips
Active Member
 
Posts: 7
Joined: August 8th, 2010, 1:00 pm

Re: Internet Searches being redirected

Unread postby askey127 » August 11th, 2010, 5:56 pm

RichPhillips,
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVG
    Please open the AVG Control Center, by right clicking on the AVG icon in the task bar.
    • Click on Tools.
    • Select Advanced.
    • In the left hand pane, scroll down to "Resident Shield".
    • In the main pane, DESELECT the option to "Enable Resident Shield."
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy of the log will be located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Internet Searches being redirected

Unread postby RichPhillips » August 11th, 2010, 10:44 pm

Askey127:

The log file for ComboFix follows. After stage_2 completed and before Stage_3 completed, I got the folloing windows message: PEV.cfxxe has encountered a problem and needs to close. Not sure what that was. I closed the window and ComboFix went through the remaining stages to completion.

Thanks for all your help.

ComboFix 10-08-11.04 - Rich Phillips 08/11/2010 22:28:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1148 [GMT -4:00]
Running from: c:\documents and settings\Rich Phillips\Desktop\zzz.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\12.tmp
C:\18.tmp
C:\1E.tmp
C:\24.tmp
C:\2A.tmp
C:\30.tmp
C:\C.tmp
c:\documents and settings\Rich Phillips\Application Data\Microsoft\~DFK39d44e96.tmp
c:\documents and settings\Rich Phillips\Application Data\Microsoft\1eaadjc.dll
c:\documents and settings\Rich Phillips\Application Data\Microsoft\bass.dll
c:\documents and settings\Rich Phillips\Application Data\Microsoft\kfgresk.dll
c:\documents and settings\Rich Phillips\Application Data\Microsoft\mjcriu.dll
c:\documents and settings\Rich Phillips\Application Data\Microsoft\peaadje.dll
c:\documents and settings\Rich Phillips\Application Data\Microsoft\qwadjb.dll
c:\documents and settings\Rich Phillips\Application Data\Microsoft\rsaadjd.dll
c:\program files\Search Settings
c:\program files\Search Settings\SeARchsettings.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-08-12 02:23 . 2010-08-12 02:23 -------- d-----w- c:\documents and settings\Rich Phillips\Application Data\AVG9
2010-08-11 21:39 . 2010-08-11 21:39 -------- d-----w- c:\windows\LastGood
2010-08-11 01:39 . 2010-08-11 01:39 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.SYS
2010-08-11 00:08 . 2010-08-11 00:08 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-10 16:14 . 2010-08-11 01:46 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-09 18:04 . 2010-08-09 18:04 -------- d-sh--w- c:\documents and settings\Rich Phillips\IECompatCache
2010-08-08 01:53 . 2010-08-08 01:53 388096 ----a-r- c:\documents and settings\Rich Phillips\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-08 01:52 . 2010-08-08 01:52 -------- d-----w- C:\HJT
2010-08-08 01:25 . 2010-08-08 01:25 -------- d-----w- c:\program files\CCleaner
2010-07-24 01:26 . 2010-07-24 01:26 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-16 13:36 . 2010-07-16 13:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 21:39 . 2009-03-31 23:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-11 15:51 . 2006-09-20 04:39 -------- d-----w- c:\program files\Java
2010-08-11 15:42 . 2007-03-09 20:53 -------- d-----w- c:\program files\Lavasoft
2010-08-11 15:42 . 2008-02-06 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-11 15:41 . 2007-04-14 11:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-11 15:26 . 2009-08-02 01:09 -------- d-----w- c:\documents and settings\Rich Phillips\Application Data\vlc
2010-08-11 11:32 . 2007-10-06 01:49 -------- d-----w- c:\program files\palmOne
2010-08-11 00:08 . 2010-08-11 00:08 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2010-08-11 00:08 . 2007-02-12 12:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-09 18:49 . 2006-09-20 06:26 -------- d-----w- c:\program files\Yahoo!
2010-08-09 18:48 . 2007-02-13 02:38 -------- d-----w- c:\program files\Google
2010-08-08 02:14 . 2007-04-14 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-06 17:47 . 2010-04-19 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-02 22:03 . 2010-08-02 22:03 503808 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-29364dd9-n\msvcp71.dll
2010-08-02 22:03 . 2010-08-02 22:03 499712 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-29364dd9-n\jmc.dll
2010-08-02 22:03 . 2010-08-02 22:03 348160 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-29364dd9-n\msvcr71.dll
2010-08-02 22:03 . 2010-08-02 22:03 61440 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-21a95f52-n\decora-sse.dll
2010-08-02 22:03 . 2010-08-02 22:03 12800 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-21a95f52-n\decora-d3d.dll
2010-07-24 11:57 . 2009-08-18 22:16 -------- d-----w- c:\program files\Glary Utilities
2010-07-17 09:00 . 2010-08-02 22:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 13:36 . 2010-04-19 22:09 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:35 . 2010-04-19 22:09 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-26 11:40 . 2010-06-26 11:40 238920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-21 13:14 . 2010-06-21 13:14 -------- d-----w- c:\program files\Garmin GPS Plugin
2010-06-21 13:14 . 2010-06-21 13:14 -------- d-----w- c:\program files\Garmin
2010-06-21 13:14 . 2009-01-23 15:50 -------- d-----w- c:\program files\DIFX
2010-06-21 11:58 . 2010-06-21 11:53 -------- d-----w- c:\documents and settings\Rich Phillips\Application Data\GARMIN
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27871\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27871\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27871\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\27871\AcrobatUpdater.exe
2010-06-02 21:42 . 2010-06-02 21:42 61440 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1890d07f-n\decora-sse.dll
2010-06-02 21:42 . 2010-06-02 21:42 503808 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3383da6f-n\msvcp71.dll
2010-06-02 21:42 . 2010-06-02 21:42 499712 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3383da6f-n\jmc.dll
2010-06-02 21:42 . 2010-06-02 21:42 348160 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3383da6f-n\msvcr71.dll
2010-06-02 21:42 . 2010-06-02 21:42 12800 ----a-w- c:\documents and settings\Rich Phillips\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1890d07f-n\decora-d3d.dll
2010-06-02 13:33 . 2010-04-19 22:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"nwiz"="nwiz.exe" [2006-09-27 1617920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"MyGarminAgent"="c:\program files\Garmin\MyGarminAgent\MyGarminAgent.exe" [2010-03-16 337256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-08-10 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-11-25 98304]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"vspdfprsrv.exe"=c:\program files\Visage\PDF Printer\vspdfprsrv.exe --background
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe"
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
"QlbCtrl"=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"QPService"="c:\program files\HP\QuickPlay\QPService.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 hotcore;hotcore;c:\windows\system32\drivers\hotcore.sys [12/12/2006 11:53 PM 30820]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/19/2010 6:09 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/19/2010 6:09 PM 243024]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [9/16/2008 9:53 PM 39408]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:36 AM 308136]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\dlportio.sys [1/19/2008 4:46 PM 3584]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9c6d239efcdfe;Google Update Service (gupdate1c9c6d239efcdfe);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2009 8:50 PM 133104]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 4:39 PM 61952]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]
S4 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/8/2010 12:51 AM 380928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-11 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-08-18 15:14]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 00:50]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 00:50]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1608137220-2889867678-1777695091-1006Core.job
- c:\documents and settings\Kenny Phillips\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-07 12:16]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1608137220-2889867678-1777695091-1006UA.job
- c:\documents and settings\Kenny Phillips\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-07 12:16]

2010-08-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1608137220-2889867678-1777695091-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-08-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1608137220-2889867678-1777695091-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 22:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????f??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-11 22:36:05
ComboFix-quarantined-files.txt 2010-08-12 02:36

Pre-Run: 45,732,790,272 bytes free
Post-Run: 45,728,034,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 2043FDDEE096B5DFE80E3CF65B1DF226
RichPhillips
Active Member
 
Posts: 7
Joined: August 8th, 2010, 1:00 pm

Re: Internet Searches being redirected

Unread postby askey127 » August 12th, 2010, 4:28 pm

RichPhillips,
There appears to be an infection in the Master Boot Record.
This is the part of your hard drive that tells the system where Windows is located when it boots up.
Failure of this "MBR" to do its job properly would result in a machine that could not boot up at all, so any changes to the MBR have to be done very carefully.

HP usually makes a custom version of the standard Master Boot Record, to provide at boot-up, a special capability (via F9 or F12?) to call a hidden Restore Partition and revert the Machine to its "as-purchased" state.
The hidden Restore Partition contains a compressed copy of the entire hard drive operating system, as delivered.
If a repair is made and the MBR is replaced with a "standard" one to fix an infection, the ability to completely Restore the system to its "as-purchased state" could be destroyed.
Some HP machines have NO Windows XP installation CD disk at all, and the Restore Partition is the only complete backup available.
In the case of NO Windows Installation CD disk, the Restore Partition (called HP Recovery Partition) becomes, in effect, the only definite proof of a Windows License if you ever had to re-install the Windows system.

In your case, a replacement of the MBR with a standard one would most likely work, but is not without risk, and might also result in NO future access to the HP "Recovery" partition.

To be safe, I recommend that you contact HP, tell them your model number, and also that you have a Master Boot record infection.
Then request the best course of action from them.

If you understand what I am saying, and really want to take the chance, I will give you instructions that will replace the Master Boot Record with a "standard" one.
Let me know what you would like to do.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Internet Searches being redirected

Unread postby RichPhillips » August 13th, 2010, 8:22 pm

askey127:

Thanks for your help. The redirecting of searches has not recurred after all the steps we went through. And I have not detected any other malware symptoms.

One other thing that I did during the effort was to run the Windows Live OneCare safety scanner. It found 5 occurrences of java exploit in one of the java update folders even after we removed the update using the control panel. It also identified one pdf exploit. The scanner said it could not remove the files but I deleted these files and directories.

Anyway. Do you think that I am OK leaving the MBR "as is" as long as I am not having the re-direction symptoms? All AVG, MS Live OneCare, and MS malicious software scans are showing clean. I am apprehensive about messing with the MBR and I really doubt that HP would be much help.

If the symptoms recur, can I contact the forum again for help? Looking forward to your response.

Thanks
RichPhillips
Active Member
 
Posts: 7
Joined: August 8th, 2010, 1:00 pm

Re: Internet Searches being redirected

Unread postby askey127 » August 14th, 2010, 6:51 am

RichPhillips,
I cannot in good conscience recommend leaving it as is, since I can't tell what the infection may download or otherwise do in the future.

What you may want to do, if you can manage it, is to make a complete image of your entire hard drive, saving the image to an external Hard Drive, like a USB WD passport or similar.
An Imaging program like Norton Ghost, or Acronis TrueImage or Terabyte Image would be required.
It would be accomplished by using the boot disk CD from the imaging program to perform the task.
Then at least you would have access to a total restoration of the drive as it is now, and you would then have much less risk to try an MBR repair.

With rootkit infections as they are now, full drive imaging is one of the only certain protections against a fatal system corruption.
As long as you follow the rules of the forum, you can post back here any time.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Internet Searches being redirected

Unread postby RichPhillips » August 14th, 2010, 11:16 am

askey127:

Thanks. I purchased and downloaded Acronis TrueImage and have made a bootable recovery CD using TrueImage. I am in the process of creating the 93GB image of the C; D; and an unlabeled 1gb drive partition per TrueImage. Not sure what the unlabeled partition is. Hope it is OK to include it in the back-up. Let me know what the next steps will be.

Rich Phillips
RichPhillips
Active Member
 
Posts: 7
Joined: August 8th, 2010, 1:00 pm

Re: Internet Searches being redirected

Unread postby askey127 » August 14th, 2010, 11:56 am

The unlabeled partition is the HP "Recovery" partition.

When you have the image of the entire HD made, let me know and I will give instructions on how to replace the Master Boot Record (if you want to do it)..

At least then if there is a crash or boot failure after the MBR repair, you will have the ability to put the Hard Drive back to the way it is now.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Internet Searches being redirected

Unread postby RichPhillips » August 16th, 2010, 9:43 am

Askey127:

I guess I am as ready as I ever will be. Now that I have the TrueImage software, if the MBR repair is successful, I can create a new bootable CD and image backup. Won't miss having the HP recovery manager. an just use the Acronis software.

Where are you in NH? I used to live in Nashua and work in Burlington, MA back in late 1980's. Now live in GA.
RichPhillips
Active Member
 
Posts: 7
Joined: August 8th, 2010, 1:00 pm

Re: Internet Searches being redirected

Unread postby askey127 » August 16th, 2010, 11:26 am

Rich,
I live in Bedford; retired here quite a few years ago.

If you have an image of the whole hard drive (not just a collection of smaller images of individual partitons), you can proceed as follows.
If it doesn't work, you know what to do.
If at any time things don't look right in the sequence below , stop.
======================================
Start MBRCheck
- Enter 'Y' for more options
- Choose Option '2' to restore the MBR
- Enter the Physical disk number - Enter '0' for disk 0
- Available MBR codes - Enter '1' for Windows XP
- Answer 'YES' to "Do you want to fix the MBR code?"
- After successful message, Hit <Enter>

Reboot and sign in to your usual account (fingers crossed).
Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Internet Searches being redirected

Unread postby RichPhillips » August 17th, 2010, 10:33 am

Askey127:

I submitted a reply yesterday but it hasn't shown up in the thread?

I think the fix worked. I even ran MRBCheck twice. MBRCheck reported that it successfully wrote new MBR record and after reboot, all seems fine. However, the MBRCheck report still shows PhysicalDrive0 with an unknown MBR code and reports the MBR as non-standard or infected. Not sure why that is. Also, F11 key still works on bootup and takes you to the HP recovery manager.

I am assuming all is OK and have made a new bootable CD and a new image backup.

Thank you for your service here on the forum. I retired three years ago and do a lot of service work for my church. I really appreciate you taking the time to help people with these computer problems.

Best wishes for continued success and good health in your retirement.

Rich Phillips

PS. I miss the fall season in NH, but not the winters.
RichPhillips
Active Member
 
Posts: 7
Joined: August 8th, 2010, 1:00 pm

Re: Internet Searches being redirected

Unread postby askey127 » August 17th, 2010, 2:44 pm

Rich,
Thanks.
Good luck with it going forward.
MBRCheck is getting smarter. It probably only overwrote the part it needed to, and left the rest.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Internet Searches being redirected

Unread postby NonSuch » August 20th, 2010, 10:33 pm

As this issue appears to be resolved, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27305
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware