[Inactive] Search Engine Redirect

**broni** · 04-11-2009

Excellent

Let me read through it...

**broni** · 04-11-2009

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\system32\drivers\54623057.sys
c:\programdata\PKP_DLdu.DAT
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.bat


Folder::

Driver::
is-GMUL4drv

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**Bill C** · 04-11-2009

Ran ComboFix w/ CFScript.txt and ran HijackThis. The new logfiles follow.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 09-11-03.01 - admin 11/03/2009 20:28.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1858 [GMT -5:00]
Running from: c:\users\admin\Desktop\4c56rg7d.com
Command switches used :: c:\users\admin\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\PKP_DLdu.DAT"
"c:\users\admin\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup\_uninst_.bat"
"c:\windows\system32\drivers\54623057.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\PKP_DLdu.DAT
c:\windows\system32\drivers\54623057.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IS-GMUL4DRV
-------\Service_is-GMUL4drv

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 01:35 . 2009-11-04 01:40 -------- d-----w- c:\users\admin\AppData\Local\temp
2009-11-04 01:35 . 2009-11-04 01:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-04 01:35 . 2009-11-04 01:35 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-04 01:35 . 2009-11-04 01:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-04 00:34 . 2009-11-04 00:48 -------- d-----w- C:\4c56rg7d
2009-10-29 14:55 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-29 14:55 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-29 14:55 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-29 14:55 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 14:55 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-29 14:55 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-29 14:55 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 14:55 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-29 14:55 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-28 19:20 . 2009-10-28 20:52 -------- d-----w- C:\ComboFix
2009-10-28 13:41 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 13:41 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 14:03 . 2009-10-26 14:03 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2009-10-26 14:03 . 2009-10-26 14:03 -------- d-----w- c:\programdata\Malwarebytes
2009-10-24 23:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-24 23:13 . 2009-10-24 23:15 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-24 23:12 . 2009-10-24 23:15 -------- d-----w- c:\programdata\Lavasoft
2009-10-24 23:12 . 2009-10-24 23:12 -------- d-----w- c:\program files\Lavasoft
2009-10-24 21:59 . 2009-10-24 21:59 -------- d-----w- c:\program files\Trend Micro
2009-10-24 17:20 . 2009-10-24 18:46 -------- d-----w- C:\$AVG
2009-10-24 17:20 . 2009-10-24 21:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-24 17:20 . 2009-10-24 17:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-24 17:20 . 2009-10-24 17:20 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-24 17:20 . 2009-11-03 14:25 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-24 17:20 . 2009-10-24 17:20 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-24 17:20 . 2009-10-28 19:27 -------- d-----w- c:\programdata\avg9
2009-10-24 15:17 . 2009-10-24 16:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-24 15:17 . 2009-10-24 16:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-24 03:44 . 2009-10-24 03:44 -------- d-----w- c:\users\admin\AppData\Local\Threat Expert
2009-10-24 03:35 . 2009-10-24 16:59 -------- d-----w- c:\programdata\PC Tools
2009-10-24 03:19 . 2009-10-24 03:19 -------- d-----w- c:\programdata\XoftSpySE
2009-10-16 14:42 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 14:42 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 14:40 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 14:40 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 22:37 . 2009-09-23 14:09 103955 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\swscale-0.dll
2009-10-13 22:37 . 2009-09-23 14:09 43539 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avutil-50.dll
2009-10-13 22:37 . 2009-09-23 14:09 2954259 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avcodec-52.dll
2009-10-13 22:37 . 2009-09-23 14:09 514067 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avformat-52.dll
2009-10-13 22:32 . 2009-10-13 22:32 -------- d-----w- c:\programdata\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-04 01:36 . 2009-11-01 03:57 696728 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-04 01:36 . 2009-11-01 03:57 59273248 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-04 00:27 . 2009-10-29 22:49 -------- d-----w- c:\users\admin\AppData\Roaming\SUPERAntiSpyware.co m
2009-11-04 00:27 . 2009-10-29 22:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 05:41 . 2009-11-03 05:45 19944 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-03 04:31 . 2009-11-03 04:31 -------- d-----w- c:\programdata\F-Secure
2009-11-01 04:06 . 2009-11-01 04:06 -------- d-----w- c:\programdata\is-6JRR8
2009-11-01 04:04 . 2009-11-01 04:04 -------- d-----w- c:\programdata\is-GMUL4
2009-11-01 03:57 . 2009-11-01 03:57 -------- d-----w- c:\programdata\is-N6F3K
2009-10-31 01:54 . 2009-05-21 19:54 -------- d-----w- c:\users\admin\AppData\Roaming\DNA
2009-10-31 01:41 . 2009-10-31 01:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-31 01:41 . 2007-08-05 05:00 -------- d-----w- c:\program files\Java
2009-10-29 22:49 . 2009-10-29 22:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-24 23:21 . 2007-12-14 18:43 -------- d-----w- c:\program files\Google
2009-10-24 01:23 . 2009-10-03 22:39 -------- d-----w- c:\program files\AVG
2009-10-17 04:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-17 02:14 . 2007-12-01 02:03 -------- d-----w- c:\programdata\Microsoft Help
2009-10-17 02:13 . 2007-08-05 05:01 -------- d-----w- c:\program files\Microsoft Works
2009-10-04 04:45 . 2007-12-01 15:04 123696 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-04 03:56 . 2007-11-30 22:49 123696 ----a-w- c:\users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-04 03:56 . 2009-10-04 03:56 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-03 23:59 . 2009-10-03 23:59 -------- d-----w- c:\program files\Apple Software Update
2009-10-01 14:29 . 2009-10-03 14:12 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-08-31 13:55 . 2009-10-16 14:41 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-16 14:41 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-02 22:18 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 22:18 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-16 14:41 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-16 14:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-16 14:41 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-09 10:20 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 10:20 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 10:20 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 10:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 10:20 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 10:20 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 10:20 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 10:20 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 10:20 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:16 . 2009-09-09 10:20 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2007-08-05 05:16 . 2007-08-05 05:11 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-11-04_00.46.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-05 04:27 . 2009-11-03 21:09 54092 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2007-08-05 04:27 . 2009-11-04 00:59 54092 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
- 2006-11-02 13:05 . 2009-11-03 21:09 71364 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2006-11-02 13:05 . 2009-11-04 01:40 71364 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2007-11-30 23:04 . 2009-11-04 01:40 13736 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3331803270-2357299798-1493206031-1000_UserData.bin
- 2007-11-30 23:04 . 2009-11-03 21:09 13736 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3331803270-2357299798-1493206031-1000_UserData.bin
- 2007-11-30 22:43 . 2009-11-03 21:05 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2007-11-30 22:43 . 2009-11-04 00:55 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2007-11-30 22:43 . 2009-11-04 00:55 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-30 22:43 . 2009-11-03 21:05 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-30 22:43 . 2009-11-04 00:55 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2007-11-30 22:43 . 2009-11-03 21:05 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2009-11-04 01:37 . 2009-11-04 01:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2009-11-03 21:06 . 2009-11-03 21:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2009-11-03 21:06 . 2009-11-03 21:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2009-11-04 01:37 . 2009-11-04 01:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2006-11-02 10:33 . 2009-11-04 01:01 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-03 21:10 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-03 21:10 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-11-04 01:01 101144 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-12-14 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-22 92704]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-24 2010904]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dl l

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/24/2009 12:20 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/24/2009 12:20 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/24/2009 12:20 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2009 9:34 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-10-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 02:33]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 02:33]
.
.
------- Supplementary Scan -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - Sign In
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: stargatewars.com
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-03 20:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x88160E07]<<
kernel: MBR read successfully
user & kernel MBR OK

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3852)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
.
************************************************** ************************
.
Completion time: 2009-11-04 20:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 01:49
ComboFix2.txt 2009-11-04 00:48

Pre-Run: 300,822,974,464 bytes free
Post-Run: 300,595,888,128 bytes free

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:05 PM, on 11/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://*.stargatewars.com
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/...fslauncher.cab
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6440 bytes

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

**broni** · 04-11-2009

How is redirection?

**Bill C** · 04-11-2009

The redirects are still occurring, and z43523673.cn server access is no longer being blocked.

**broni** · 04-11-2009

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.bat

Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Also see, if RootRepeal will run now...

Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

**Bill C** · 04-11-2009

Ran ComboFix w/ new CFScript file and ran HijackThis. Logfiles follow.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 09-11-03.01 - admin 11/03/2009 22:29.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1638 [GMT -5:00]
Running from: c:\users\admin\Desktop\4c56rg7d.com
Command switches used :: c:\users\admin\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\admin\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup\_uninst_.bat"
.

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 03:35 . 2009-11-04 03:35 -------- d-----w- c:\users\admin\AppData\Local\temp
2009-11-04 03:35 . 2009-11-04 03:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-04 03:35 . 2009-11-04 03:35 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-04 03:35 . 2009-11-04 03:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-04 01:23 . 2009-11-04 01:50 -------- d-----w- C:\4c56rg7d49204
2009-11-04 00:34 . 2009-11-04 00:48 -------- d-----w- C:\4c56rg7d
2009-10-29 14:55 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-29 14:55 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-29 14:55 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-29 14:55 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 14:55 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-29 14:55 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-29 14:55 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 14:55 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-29 14:55 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-28 19:20 . 2009-10-28 20:52 -------- d-----w- C:\ComboFix
2009-10-28 13:41 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 13:41 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 14:03 . 2009-10-26 14:03 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2009-10-26 14:03 . 2009-10-26 14:03 -------- d-----w- c:\programdata\Malwarebytes
2009-10-24 23:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-24 23:13 . 2009-10-24 23:15 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-24 23:12 . 2009-10-24 23:15 -------- d-----w- c:\programdata\Lavasoft
2009-10-24 23:12 . 2009-10-24 23:12 -------- d-----w- c:\program files\Lavasoft
2009-10-24 21:59 . 2009-10-24 21:59 -------- d-----w- c:\program files\Trend Micro
2009-10-24 17:20 . 2009-10-24 18:46 -------- d-----w- C:\$AVG
2009-10-24 17:20 . 2009-10-24 21:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-24 17:20 . 2009-10-24 17:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-24 17:20 . 2009-10-24 17:20 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-24 17:20 . 2009-11-03 14:25 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-24 17:20 . 2009-10-24 17:20 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-24 17:20 . 2009-10-28 19:27 -------- d-----w- c:\programdata\avg9
2009-10-24 15:17 . 2009-10-24 16:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-24 15:17 . 2009-10-24 16:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-24 03:44 . 2009-10-24 03:44 -------- d-----w- c:\users\admin\AppData\Local\Threat Expert
2009-10-24 03:35 . 2009-10-24 16:59 -------- d-----w- c:\programdata\PC Tools
2009-10-24 03:19 . 2009-10-24 03:19 -------- d-----w- c:\programdata\XoftSpySE
2009-10-16 14:42 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 14:42 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 14:40 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 14:40 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 22:37 . 2009-09-23 14:09 103955 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\swscale-0.dll
2009-10-13 22:37 . 2009-09-23 14:09 43539 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avutil-50.dll
2009-10-13 22:37 . 2009-09-23 14:09 2954259 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avcodec-52.dll
2009-10-13 22:37 . 2009-09-23 14:09 514067 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avformat-52.dll
2009-10-13 22:32 . 2009-10-13 22:32 -------- d-----w- c:\programdata\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-04 01:36 . 2009-11-01 03:57 696728 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-04 01:36 . 2009-11-01 03:57 59273248 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-04 00:27 . 2009-10-29 22:49 -------- d-----w- c:\users\admin\AppData\Roaming\SUPERAntiSpyware.co m
2009-11-04 00:27 . 2009-10-29 22:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 05:41 . 2009-11-03 05:45 19944 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-03 04:31 . 2009-11-03 04:31 -------- d-----w- c:\programdata\F-Secure
2009-11-01 04:06 . 2009-11-01 04:06 -------- d-----w- c:\programdata\is-6JRR8
2009-11-01 04:04 . 2009-11-01 04:04 -------- d-----w- c:\programdata\is-GMUL4
2009-11-01 03:57 . 2009-11-01 03:57 -------- d-----w- c:\programdata\is-N6F3K
2009-10-31 01:54 . 2009-05-21 19:54 -------- d-----w- c:\users\admin\AppData\Roaming\DNA
2009-10-31 01:41 . 2009-10-31 01:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-31 01:41 . 2007-08-05 05:00 -------- d-----w- c:\program files\Java
2009-10-29 22:49 . 2009-10-29 22:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-24 23:21 . 2007-12-14 18:43 -------- d-----w- c:\program files\Google
2009-10-24 01:23 . 2009-10-03 22:39 -------- d-----w- c:\program files\AVG
2009-10-17 04:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-17 02:14 . 2007-12-01 02:03 -------- d-----w- c:\programdata\Microsoft Help
2009-10-17 02:13 . 2007-08-05 05:01 -------- d-----w- c:\program files\Microsoft Works
2009-10-04 04:45 . 2007-12-01 15:04 123696 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-04 03:56 . 2007-11-30 22:49 123696 ----a-w- c:\users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-04 03:56 . 2009-10-04 03:56 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-03 23:59 . 2009-10-03 23:59 -------- d-----w- c:\program files\Apple Software Update
2009-10-01 14:29 . 2009-10-03 14:12 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-08-31 13:55 . 2009-10-16 14:41 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-16 14:41 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-02 22:18 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 22:18 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-16 14:41 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-16 14:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-16 14:41 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-09 10:20 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 10:20 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 10:20 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 10:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 10:20 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 10:20 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 10:20 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 10:20 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 10:20 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:16 . 2009-09-09 10:20 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2007-08-05 05:16 . 2007-08-05 05:11 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-11-04_00.46.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-05 04:27 . 2009-11-04 00:59 54092 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
- 2007-08-05 04:27 . 2009-11-03 21:09 54092 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
- 2006-11-02 13:05 . 2009-11-03 21:09 71364 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2006-11-02 13:05 . 2009-11-04 01:40 71364 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2007-11-30 23:04 . 2009-11-04 01:40 13736 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3331803270-2357299798-1493206031-1000_UserData.bin
- 2007-11-30 23:04 . 2009-11-03 21:09 13736 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3331803270-2357299798-1493206031-1000_UserData.bin
- 2007-11-30 22:43 . 2009-11-03 21:05 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2007-11-30 22:43 . 2009-11-04 01:37 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2007-11-30 22:43 . 2009-11-03 21:05 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-30 22:43 . 2009-11-04 01:37 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-30 22:43 . 2009-11-04 01:37 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2007-11-30 22:43 . 2009-11-03 21:05 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2009-11-04 01:37 . 2009-11-04 01:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2009-11-03 21:06 . 2009-11-03 21:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2009-11-03 21:06 . 2009-11-03 21:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2009-11-04 01:37 . 2009-11-04 01:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2009-10-04 11:16 . 2009-11-04 03:14 242052 c:\windows\System32\WDI\SuspendPerformanceDiagnost ics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-11-04 01:45 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-03 21:10 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-03 21:10 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-11-04 01:45 101144 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-12-14 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-22 92704]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-24 2010904]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dl l

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/24/2009 12:20 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/24/2009 12:20 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/24/2009 12:20 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2009 9:34 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-10-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 02:33]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 02:33]
.
.
------- Supplementary Scan -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - Sign In
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: stargatewars.com
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-03 22:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x88160E07]<<
kernel: MBR read successfully
user & kernel MBR OK

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(944)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2009-11-04 22:37
ComboFix-quarantined-files.txt 2009-11-04 03:37
ComboFix2.txt 2009-11-04 01:50
ComboFix3.txt 2009-11-04 00:48

Pre-Run: 300,613,488,640 bytes free
Post-Run: 300,576,055,296 bytes free

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:14 PM, on 11/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - Sign In
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://*.stargatewars.com
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/...fslauncher.cab
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6336 bytes

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I'll retry running RootRepeal now.