Search redirect virus

Welcome. Thank you for using Dell Community Forums.

I am reviewing your log. In the meantime, you can help me by addressing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a list HERE.    

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

*  Please open Notepad > Format> UNcheck Wordwrap. Close Notepad.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

I look forward to your reply so we can begin cleaning.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

I have not posted to another forum.

I have done nothing with system restore.

No cracked software.

No P2P.

My computer.

First time using HijackThis.

Wordwrap in Notepad has been unchecked.

Thanks for the help.

Right click the running icon of Spybot's TeaTimer, and choose Exit SpyBot S&D - Resident'

While both Teatimer and SpyBot are closed:

Download ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer from restoring them upon reactivation).

http://downloads.subratam.org/ResetTeaTimer.bat

If you are using Firefox, right click the above link and choose ‘Save As’.

Save it to your desktop.

Save it as resetteatimer.bat

Run Spybot-S&D Go to the Mode menu, and make sure "Advanced Mode" is selected On the left hand side, choose Tools -> Resident Uncheck "Resident TeaTimer" and OK any prompts Restart your computer.

Double click on resetteatimer.bat to run it, and wait for it to finish.

Since it will not be needed again, delete ResetTeaTimer.bat after you run it.

When we are COMPLETELY finished with ALL your fixes, you can turn Teatimer back on again via SpyBot's tools resident page.

We need to see some additional information about what is happening in your machine.

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.
• Click Yes at the prompt for Optional Scan.
• When done, DDS will open two (2) logs

• 1. DDS.txt
  2. Attach.txt

• Save both reports to your desktop.
• Copy/paste both logs to your reply on the forum.
• Close the program window, and delete the program from your desktop.

• Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.

When I opened DDS I didn't get the Yes prompt for optional scan. However, on its own the two files opened in notepad and are copied below. I assume this is alright.

DDS (Ver_09-02-01.01) - NTFSx86  
Run by Todd at 19:21:05.93 on Fri 02/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.342 [GMT -6:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe
C:\Program Files\DELL\Dell Laser MFP 1815\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Todd.JOHNSONBANNONPL\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb/
mDefault_Page_URL = hxxp://companyweb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: DeskBandHelper Class: {9e0b5480-4ff0-4fee-818b-d4db0f220d64} - c:\progra~1\lexisn~1\pclaw\plietool.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: PCLaw Web Timer: {0e1230f8-ea50-42a9-983c-d22abc2eed4b} - c:\progra~1\lexisn~1\pclaw\plietool.dll
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office x3\programs\QFSCHD130.EXE"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MFP1815_S2P] c:\program files\dell\dell laser mfp 1815\psu\Scan2Pc.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\dell\dell laser mfp 1815\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\dell\dell laser mfp 1815\paperport\IndexSearch.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [FirefoxUltimateOptimizer] "c:\misc\firefox-ultimate-optimizer-11\Firefox Ultimate Optimizer.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\todd~1.joh\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\todd~1.joh\startm~1\programs\startup\phones~1.lnk - \\server\clientapps\pslips\PSWIN32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Add to  Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} - c:\progra~1\lexisn~1\pclaw\plietool.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} - c:\progra~1\lexisn~1\pclaw\plietool.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
DPF: PLLiveUpWeb - hxxp://support.pclaw.com/PLLiveUpWeb.CAB
DPF: PLUpdate - hxxp://www.pclaw.com/PLUpdate.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193769629649
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193769595211
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: {6BAA49F9-A31B-480D-8BC9-0A64BEB5E969} = 10.177.176.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\todd~1.joh\applic~1\mozilla\firefox\profiles\z9fk82ao.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.yahoo.com
FF - component: c:\documents and settings\todd.johnsonbannonpl\application data\mozilla\firefox\profiles\z9fk82ao.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\evernote\evernote3\fftbclipper\components\enbar3.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: XUL Cache: {E8A7EF07-91D9-4E74-A9ED-85027ECC918C} - c:\documents and settings\todd.johnsonbannonpl\local settings\application data\{E8A7EF07-91D9-4E74-A9ED-85027ECC918C}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-6 64160]
R1 avgio;avgio;c:\program files\antivir personaledition classic\avgio.sys [2007-7-5 11840]
R1 LADriver;LADriver;c:\windows\system32\drivers\LADriver.sys [2007-8-5 27136]
R1 LDDriver;LDDriver;c:\windows\system32\drivers\LDDriver.sys [2007-8-5 24064]
R1 LHDriver;LHDriver;c:\windows\system32\drivers\LHDriver.sys [2007-8-5 14336]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-27 353680]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2007-7-5 68865]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2007-7-5 151297]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-7-21 193888]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avgntflt;avgntflt;c:\program files\antivir personaledition classic\avgntflt.sys [2007-7-5 52032]
S2 gupdate1c95bd8428515f2;Google Update Service (gupdate1c95bd8428515f2);c:\program files\google\update\GoogleUpdate.exe [2008-12-11 133104]

=============== Created Last 30 ================

2009-02-06 14:48    

Teatimer is still running. Did you run resetteatimer.bat ?

I thought teatimer was closed. I followed the directions again and after rebooting opened spybot and confirmed that teatimer was unchecked. I then ran DDS again. Here are the files.

Thanks

DDS (Ver_09-01-07.01) - NTFSx86  
Run by Todd at  9:52:17.21 on Sat 02/07/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.397 [GMT -6:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe
C:\Program Files\DELL\Dell Laser MFP 1815\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Todd.JOHNSONBANNONPL\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb/
mDefault_Page_URL = hxxp://companyweb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: DeskBandHelper Class: {9e0b5480-4ff0-4fee-818b-d4db0f220d64} - c:\progra~1\lexisn~1\pclaw\plietool.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: PCLaw Web Timer: {0e1230f8-ea50-42a9-983c-d22abc2eed4b} - c:\progra~1\lexisn~1\pclaw\plietool.dll
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office x3\programs\QFSCHD130.EXE"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MFP1815_S2P] c:\program files\dell\dell laser mfp 1815\psu\Scan2Pc.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\dell\dell laser mfp 1815\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\dell\dell laser mfp 1815\paperport\IndexSearch.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [FirefoxUltimateOptimizer] "c:\misc\firefox-ultimate-optimizer-11\Firefox Ultimate Optimizer.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\todd~1.joh\startm~1\programs\startup\palmon~1.lnk - c:\program files\palmone\register.exe
StartupFolder: c:\docume~1\todd~1.joh\startm~1\programs\startup\phones~1.lnk - \\server\clientapps\pslips\PSWIN32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Add to  Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} - c:\progra~1\lexisn~1\pclaw\plietool.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} - c:\progra~1\lexisn~1\pclaw\plietool.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
TCP: {6BAA49F9-A31B-480D-8BC9-0A64BEB5E969} = 10.177.176.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\todd~1.joh\applic~1\mozilla\firefox\profiles\z9fk82ao.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.yahoo.com
FF - component: c:\documents and settings\todd.johnsonbannonpl\application data\mozilla\firefox\profiles\z9fk82ao.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\evernote\evernote3\fftbclipper\components\enbar3.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: XUL Cache: {E8A7EF07-91D9-4E74-A9ED-85027ECC918C} - c:\documents and settings\todd.johnsonbannonpl\local settings\application data\{E8A7EF07-91D9-4E74-A9ED-85027ECC918C}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-6 64160]
R1 avgio;avgio;c:\program files\antivir personaledition classic\avgio.sys [2007-7-5 11840]
R1 LADriver;LADriver;c:\windows\system32\drivers\LADriver.sys [2007-8-5 27136]
R1 LDDriver;LDDriver;c:\windows\system32\drivers\LDDriver.sys [2007-8-5 24064]
R1 LHDriver;LHDriver;c:\windows\system32\drivers\LHDriver.sys [2007-8-5 14336]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-27 353680]
R3 avgntflt;avgntflt;c:\program files\antivir personaledition classic\avgntflt.sys [2007-7-5 52032]
R4 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2007-7-5 68865]
R4 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2007-7-5 151297]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R4 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-7-21 193888]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S4 gupdate1c95bd8428515f2;Google Update Service (gupdate1c95bd8428515f2);c:\program files\google\update\GoogleUpdate.exe [2008-12-11 133104]

=============== Created Last 30 ================

2009-02-06 14:48    

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  IMPORTANT! * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.

* Additional information on A/V control HERE

Here is the combofix log file followed by the latest hijackthis scan.

Thanks.

ComboFix 09-02-06.04 - Todd 2009-02-07 12:12:40.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.505 [GMT -6:00]
Running from: c:\documents and settings\Todd.JOHNSONBANNONPL\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\wdmaud.sys

----- BITS: Possible infected sites -----

hxxp://server:8530
.
(((((((((((((((((((((((((   Files Created from 2009-01-07 to 2009-02-07  )))))))))))))))))))))))))))))))
.

2009-02-06 14:48 . 2009-02-06 14:48   

Set Explorer to view Hidden Files and Folders:

• Right-click your Start button and go to "Explore".
• Select Tools from the menu
• Select Folder Options
• Select the View tab
• Click on Show all Files and Folders
• Select Apply to All Folders | Yes | Apply | OK.

Please submit a sample of these files (one at a time):

C:\WINDOWS\System32\ezsidmv.dat
c:\windows\system32\cdintf250.dll

to Virus Total --
http://www.virustotal.com/en/indexf.html

At the top of the page you will see:
Select file>Browse>Send
Just follow the prompts.
The submission will then be tested against many different AV vendors� scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.

Also, please go back and rehide protected system files:

Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Check: Hide protected operating system files
Click on Apply.

We will have some more work to do, but I will wait for the report from Virus Total before we proceed.

That's good. In that case, we have just a leftover we have to restore to its default settings...

Please run Notepad and paste the text between the lines into a new file. Do not copy the dotted lines.
* Make sure that Word Wrap is turned off in Notepad - (click the Format menu and uncheck Word Wrap)

Important:
Make sure there are NO blank lines before REGEDIT4 Make sure there is one blank line at the end of the file
Make sure that you have copied all of the text (e.g. Don't miss the first 'R'.)

------------------------------------------------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"="wdmaud.drv"

-------------------------------------------------------------------------------------------
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
 Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Next: * Click Start then Run
Copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and / Then hit enter.

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Finally, please let me know how things are running after that.

Here are the results from virus total. It appears that neither file shows any virus.

File ezsidmv.dat received on 02.07.2009 20:57:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/39 (0%)

Loading server information...

Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.

Compact

Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

 

You can wait for web response ( automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Additional information
File size: 56 bytes
MD5...: 36c61601805ad8b0c6410189cc3c335b
SHA1..: 40c68bdf4626da46c26d4cee0878e17f55a2739e
SHA256: ab5e4b568920dd8aed50bd74971686c595c6baf60604a743e90719b2fa9dc859
SHA512: 5a71f798cb9b292c082f32de857382d0a2e8c33ffc2e8a2b8a87b4a43b856109 c9619ed068116f621cc03f5f6bfb8ee7d85082700571ae7409f9bbbdceb6eeab
ssdeep: 3:yPQgi1haZepTudRgcbb:ypiXmRgc/
PEiD..: -
Unknown!       File cdintf250.dll received on 02.07.2009 21:00:41 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/39 (0%) Loading server information... Your file is queued in position: 1. Estimated start time is between 42 and 60 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.   You can wait for web response ( automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.0.0.93 2009.02.07 - AhnLab-V3 5.0.0.2 2009.02.07 - AntiVir 7.9.0.76 2009.02.07 - Authentium 5.1.0.4 2009.02.07 - Avast 4.8.1335.0 2009.02.07 - AVG 8.0.0.229 2009.02.07 - BitDefender 7.2 2009.02.07 - CAT-QuickHeal 10.00 2009.02.07 - ClamAV 0.94.1 2009.02.07 - Comodo 969 2009.02.07 - DrWeb 4.44.0.09170 2009.02.07 - eSafe 7.0.17.0 2009.02.05 - eTrust-Vet 31.6.6346 2009.02.07 - F-Prot 4.4.4.56 2009.02.07 - F-Secure 8.0.14470.0 2009.02.07 - Fortinet 3.117.0.0 2009.02.07 - GData 19 2009.02.07 - Ikarus T3.1.1.45.0 2009.02.07 - K7AntiVirus 7.10.623 2009.02.07 - Kaspersky 7.0.0.125 2009.02.07 - McAfee 5518 2009.02.07 - McAfee+Artemis 5519 2009.02.07 - Microsoft 1.4306 2009.02.06 - NOD32 3836 2009.02.07 - Norman 6.00.02 2009.02.06 - nProtect 2009.1.8.0 2009.02.07 - Panda 9.5.1.2 2009.02.07 - PCTools 4.4.2.0 2009.02.07 - Prevx1 V2 2009.02.07 - Rising 21.15.50.00 2009.02.07 - SecureWeb-Gateway 6.7.6 2009.02.07 - Sophos 4.38.0 2009.02.07 - Sunbelt 3.2.1847.2 2009.02.07 - Symantec 10 2009.02.07 - TheHacker 6.3.1.5.248 2009.02.07 - TrendMicro 8.700.0.1004 2009.02.06 - VBA32 3.12.8.12 2009.02.05 - ViRobot 2009.2.6.1594 2009.02.06 - VirusBuster 4.5.11.0 2009.02.07 - Additional information File size: 1933312 bytes MD5...: 5e68e7d25a39d39ab2cfe7b2daf2c89c SHA1..: 215313a714e1cd90e72f853035c8261db5f54b64 SHA256: f8db57456d3a467aa961faa64f7e4c3b934c29264f493ed163b5bb3fea02e1f8 SHA512: 01c0f5c989a2c4ba0396895ab652da76ff74331ce9a4568d16fe741f4a17dc4e 49787f3bc0e8efee8aa87e87226456f2c5b956f84140ce07b50dbede76a3f84a ssdeep: 24576:UI0GBxLIqH8+TB2/vBTuSzIbgwBodJGSwfQYgzGxQcYYgYt4tcj0Ai5j5: V041muvTARUQcYq4jV5t PEiD..: Armadillo v1.xx - v2.xx TrID..: File type identification DirectShow filter (58.3%) Windows OCX File (35.7%) Win32 Executable Generic (2.4%) Win32 Dynamic Link Library (generic) (2.1%) Generic Win/DOS Executable (0.5%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x11e707 timedatestamp.....: 0x443c659e (Wed Apr 12 02:27:42 2006) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x150b0e 0x151000 6.60 f4a906eb95ab8eb33d65c38dd109294b .rdata 0x152000 0x3cb59 0x3d000 5.57 f6e0d05beeabd44d13cbf93f3308bd4a .data 0x18f000 0x2e455 0x29000 5.39 77809e00d81fe2090943c227976b82d5 .rsrc 0x1be000 0x5400 0x6000 4.03 9e77f542f155e0b0d3af51a856328153 .reloc 0x1c4000 0x19e80 0x1a000 5.72 ed0af1c41e74c09d0b57852a6d8a09e7 ( 16 imports ) > WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, - > VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA > KERNEL32.dll: GetStringTypeW, IsBadCodePtr, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetStringTypeA, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, LocalFree, lstrcpynA, FormatMessageA, GetEnvironmentStringsW, lstrlenA, FreeLibrary, GetProcAddress, LoadLibraryA, WideCharToMultiByte, lstrlenW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetStartupInfoA, GetStdHandle, SetHandleCount, SetStdHandle, GetACP, TerminateProcess, ExitProcess, RaiseException, IsBadReadPtr, GetCommandLineA, HeapSize, HeapReAlloc, HeapAlloc, HeapFree, GetFileType, GetLocalTime, GetSystemTime, GetTimeZoneInformation, RtlUnwind, lstrcpyW, SystemTimeToFileTime, MultiByteToWideChar, CloseHandle, OpenFileMappingA, UnmapViewOfFile, SetEvent, MapViewOfFile, GetLastError, CreateEventA, CreateMutexA, WaitForSingleObject, ReleaseMutex, GetCurrentThreadId, Sleep, GetTickCount, GetVersionExA, GetCurrentProcess, GetModuleHandleA, ResetEvent, GlobalFree, GlobalUnlock, GlobalHandle, GlobalLock, GlobalAlloc, WriteProfileStringA, lstrcmpiA, GetProfileStringA, SetLastError, CopyFileA, lstrcatA, GetModuleFileNameA, LocalFileTimeToFileTime, GetOEMCP, GetCPInfo, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetFileAttributesA, GetProcessVersion, WritePrivateProfileStringA, GlobalFlags, SetErrorMode, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, TlsAlloc, LocalAlloc, GetShortPathNameA, GetThreadLocale, GetStringTypeExA, GetFullPathNameA, GetVolumeInformationA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, GlobalReAlloc, FileTimeToLocalFileTime, FileTimeToSystemTime, IsDBCSLeadByte, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, GetCurrentThread, FlushInstructionCache, GetDateFormatA, GetTimeFormatA, GlobalSize, FindResourceA, LoadResource, LockResource, SizeofResource, SetFilePointer, ReadFile, WriteFile, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, CreateFileA, GetFileSize, GetProfileIntA, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, InterlockedIncrement, lstrcmpA, MulDiv, GetUserDefaultLCID, GetLocaleInfoA, InterlockedDecrement, GetTempPathA, GetTempFileNameA, CreateFileMappingA, FindFirstFileA, FindNextFileA, FindClose, lstrcpyA > USER32.dll: MapDialogRect, SetWindowContextHelpId, CharNextA, DestroyIcon, GetSysColorBrush, GetMenuStringA, InsertMenuA, CopyAcceleratorTableA, InSendMessage, EndDialog, CreateDialogIndirectParamA, GetWindowDC, ClientToScreen, GetClassNameA, GrayStringA, TabbedTextOutA, SetRectEmpty, CreateMenu, GetDesktopWindow, DrawEdge, SetParent, MoveWindow, SetWindowTextA, LoadIconA, SendDlgItemMessageA, SetActiveWindow, EqualRect, CopyRect, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, WinHelpA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetMessagePos, GetForegroundWindow, SetForegroundWindow, GetWindowPlacement, GetSystemMetrics, IsRectEmpty, FindWindowA, SystemParametersInfoA, GetWindow, GetDlgCtrlID, IsIconic, IsChild, AdjustWindowRectEx, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetNextDlgTabItem, GetMessageA, GetActiveWindow, ValidateRect, GetLastActivePopup, IsWindowEnabled, PostQuitMessage, GetClassInfoExA, PostMessageA, GetWindowTextA, UnionRect, PtInRect, LoadBitmapA, LoadStringA, RemoveMenu, DrawTextA, CreatePopupMenu, AppendMenuA, TrackPopupMenu, DestroyMenu, GetPriorityClipboardFormat, ScreenToClient, GetCapture, GetKeyState, UnhookWindowsHookEx, CallWindowProcA, GetWindowLongA, SetWindowLongA, RegisterClipboardFormatA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, GetClipboardData, DestroyWindow, GetCursorPos, ReleaseCapture, SetCapture, CreateCaret, ShowCaret, SetCursor, HideCaret, IsWindow, SetCaretPos, MessageBeep, GetParent, SetFocus, GetCaretPos, BeginPaint, IsWindowVisible, EndPaint, DefWindowProcA, UnregisterClassA, RegisterClassExA, UpdateWindow, InflateRect, OffsetRect, GetSysColor, SetWindowsHookExA, IsDialogMessageA, CallNextHookEx, CharUpperW, CharUpperA, LoadCursorA, RedrawWindow, IntersectRect, IsDlgButtonChecked, GetDlgItem, SendMessageA, ShowWindow, GetWindowRect, MapWindowPoints, SetWindowPos, CreateWindowExA, CheckDlgButton, GetClientRect, GetTabbedTextExtentA, GetNextDlgGroupItem, GetDCEx, PostThreadMessageA, InvalidateRect, GetDC, ReleaseDC, GetFocus, MessageBoxA, SetRect, PeekMessageA, TranslateMessage, DispatchMessageA, MsgWaitForMultipleObjects, SendMessageTimeoutA, FillRect, RegisterWindowMessageA, EnableWindow, KillTimer, SetTimer, wsprintfA, GetMessageTime > GDI32.dll: ExtTextOutA, ExtTextOutW, SetROP2, GetBkMode, SetBkMode, SetMiterLimit, ExtCreatePen, GetPath, SetTextColor, SelectClipPath, EndPath, BeginPath, SetTextAlign, PolyBezierTo, MoveToEx, LineTo, Arc, Chord, FillPath, SetPolyFillMode, GetObjectA, GetTextAlign, LineDDA, Rectangle, CreateFontA, SetViewportOrgEx, CreatePen, TextOutA, GetTextColor, GetBkColor, GetTextExtentPoint32A, CreateEnhMetaFileA, GetEnhMetaFileBits, CloseEnhMetaFile, GetDIBits, RestoreDC, SaveDC, PtInRegion, GetTextMetricsA, LPtoDP, DPtoLP, GetClipBox, CloseMetaFile, CreateMetaFileA, CombineRgn, PtVisible, RectVisible, Escape, OffsetViewportOrgEx, SetStretchBltMode, ScaleViewportExtEx, ScaleWindowExtEx, GetCurrentPositionEx, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, CreatePatternBrush, CopyMetaFileA, GetMapMode, PatBlt, SetRectRgn, CreateRectRgnIndirect, UnrealizeObject, ResetDCA, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, SetMapMode, SetWindowExtEx, SetViewportExtEx, SetWindowOrgEx, SelectClipRgn, BitBlt, DeleteObject, EnumFontFamiliesExA, ExtEscape, GetStockObject, CreateDCA, GetEnhMetaFileA, GetFontData, CreateFontIndirectA, AddFontResourceA, RemoveFontResourceA, StretchDIBits, SetDIBitsToDevice, CreateBitmap, SetBkColor, StretchBlt, CreateSolidBrush, EndPage, GetOutlineTextMetricsA, DeleteEnhMetaFile, DeleteDC, CreatePolygonRgn, DeleteMetaFile, EndDoc, PlayEnhMetaFile, StartPage, StartDocA, GetDeviceCaps > comdlg32.dll: PrintDlgA, ReplaceTextW, ChooseFontA, GetOpenFileNameA, GetFileTitleA, FindTextW > WINSPOOL.DRV: DeviceCapabilitiesA, GetPrinterDriverA, GetJobA, DocumentPropertiesA, SetPrinterA, GetPrinterA, DeletePrintProcessorA, DeleteMonitorA, DeletePrinterDriverA, DeletePrinter, ClosePrinter, AddPrinterA, AddPrinterDriverA, GetPrinterDriverDirectoryA, OpenPrinterA, EnumPortsA, AddPrintProcessorA, GetPrintProcessorDirectoryA, GetPrinterDataA, SetPrinterDataA > ADVAPI32.dll: CryptAcquireContextA, RegSetValueExA, GetFileSecurityA, SetFileSecurityA, RegQueryValueA, RegCreateKeyA, RegSetValueA, RegOpenKeyA, RegEnumKeyA, CryptHashData, CryptGetHashParam, CryptCreateHash, CryptDestroyHash, CryptReleaseContext, CryptGetUserKey, RegDeleteKeyA, RegSetKeySecurity, RegDeleteValueA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, ControlService, OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceStatus, StartServiceA, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegCloseKey > SHELL32.dll: ExtractIconA, ShellExecuteA, ShellExecuteW, ShellExecuteExA > COMCTL32.dll: - > oledlg.dll: -, - > ole32.dll: WriteFmtUserTypeStg, CoTreatAsClass, ReadClassStm, OleLoadFromStream, OleFlushClipboard, OleIsCurrentClipboard, OleGetClipboard, OleInitialize, OleUninitialize, CoFreeUnusedLibraries, CoGetClassObject, CoRegisterMessageFilter, CreateBindCtx, CoRegisterClassObject, OleIsRunning, CoCreateInstanceEx, StgCreateDocfile, WriteClassStg, ProgIDFromCLSID, CoTaskMemFree, SetConvertStg, CreateGenericComposite, CreateItemMoniker, CreateStreamOnHGlobal, WriteClassStm, OleGetIconOfClass, GetHGlobalFromILockBytes, StgOpenStorageOnILockBytes, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, OleSave, OleLoad, OleCreate, OleCreateLinkToFile, OleCreateFromFile, OleCreateStaticFromData, OleSetContainedObject, StringFromCLSID, OleLockRunning, StgIsStorageFile, StgOpenStorage, CreateFileMoniker, OleRun, CLSIDFromString, CLSIDFromProgID, CreateOleAdviseHolder, ReleaseStgMedium, CreateDataAdviseHolder, OleDuplicateData, CoDisconnectObject, OleSetMenuDescriptor, ReadClassStg, ReadFmtUserTypeStg, OleRegGetUserType, CoCreateInstance, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleSaveToStream, CoTaskMemAlloc, CreateDataCache, StringFromGUID2, CoRevokeClassObject > OLEPRO32.DLL: -, -, -, - > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, - > RPCRT4.dll: UuidCreate > CRYPT32.dll: CryptVerifyMessageSignature, CryptAcquireCertificatePrivateKey, CertFreeCertificateContext, CertCloseStore, CertGetNameStringA, CertOpenStore, CertFindCertificateInStore, CryptSignMessage ( 175 exports ) BatchConvertEx, CDICreateDC, CDISetDefaultPrinter, CaptureEvents, ConcatenateFiles, DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, DocAppend, DocAutoBookmarksA, DocAutoBookmarksW, DocAutoHyperLinksA, DocAutoHyperLinksW, DocClose, DocConvertToEXCELA, DocConvertToEXCELW, DocConvertToHTMLA, DocConvertToHTMLW, DocConvertToJPEGA, DocConvertToJPEGW, DocConvertToRTFA, DocConvertToRTFW, DocConvertToTIFFA, DocConvertToTIFFW, DocDigitalSignatureA, DocDigitalSignatureW, DocEmailMapiA, DocEmailMapiW, DocEmailSmtpA, DocEmailSmtpW, DocEncrypt128A, DocEncrypt128W, DocEncryptA, DocEncryptW, DocLinearize, DocMerge, DocOpenA, DocOpenW, DocOptimize, DocPrintA, DocPrintW, DocSaveA, DocSaveW, DocSetAuthorA, DocSetBookmarkXYA, DocSetBookmarkXYW, DocSetCreatorA, DocSetHyperLinkInternal, DocSetHyperLinkURLA, DocSetHyperLinkURLW, DocSetKeywordsA, DocSetSubjectA, DocSetTitleA, DocSplitA, DocSplitW, DocSplitXYA, DocSplitXYW, DriverEnd, DriverInit, EMFDriverInit, EnablePrinter, EncryptPDFDocument, EncryptPDFDocument128, GLock, GUnlock, GetCompression, GetDevmodeFlags, GetDocumentTitle, GetEmailOptions, GetEncryption, GetFontEmbedding, GetGeneratedFilename, GetHorizontalMargin, GetImageOptions, GetInlineImageMaxSize, GetJPEGCompression, GetJPegLevel, GetLastErrorMsg, GetOrientation, GetOwnerPassword, GetPaperLength, GetPaperSize, GetPaperWidth, GetPermissions, GetPrinterAttributes, GetPrinterLanguage, GetPrinterParamInt, GetPrinterParamStr, GetResolution, GetSimPostscript, GetUserPassword, GetVersionInformation, GetVerticalMargin, HTMLDriverInit, KeepPreProcessed, LinearizePDFDocument, Lock, MergeFiles, PDF2EXCEL, PDF2HTML, PDF2JPEG, PDF2RTF, PDF2TIFF, PDFDriverInit, PPEndDoc, PPEndObject, PPEndPage, PPInit, PPStartDoc, PPStartObject, PPStartPage, PPWriteBuffer, PrintPDFDocument, PrintPDFDocumentEx, RTFDriverInit, RestoreDefaultPrinter, SendMail, SendMailW, SendMessagesTo, SendSmtpMail, SendSmtpMailW, SetBookmark, SetCompression, SetDefaultConfig, SetDefaultConfigEx, SetDefaultDirectory, SetDefaultFileName, SetDefaultPrinter, SetDevmodeFlags, SetDocFileProps, SetEmailFieldBCC, SetEmailFieldCC, SetEmailFieldFrom, SetEmailFieldTo, SetEmailMessage, SetEmailOptions, SetEmailPrompt, SetEmailSubject, SetEncryption, SetFileNameOptions, SetFontEmbedding, SetHorizontalMargin, SetHyperLink, SetImageOptions, SetInlineImageMaxSize, SetJPEGCompression, SetJPegLevel, SetLicenseKeyA, SetLicenseKeyW, SetOrientation, SetOwnerPassword, SetPageProcessor, SetPaperLength, SetPaperSize, SetPaperWidth, SetPermissions, SetPrinterAttributes, SetPrinterConfig, SetPrinterLanguage, SetPrinterParamInt, SetPrinterParamStr, SetResolution, SetServerAddress, SetServerPort, SetServerUsername, SetSimPostscript, SetSmtpPort, SetSmtpServer, SetTargetPrinterName, SetUserPassword, SetVerticalMargin, SetWatermark, TestLock, Unlock
PEInfo: -

Everything has seemed to be running fine until yesterday. I started to notice redirects again when I would do a search and then hit a url. Not all the time and not as bad as before but I still appear to have some malware lurking.

Should I try to follow all of the previous steps or is this something that you need to review?

As always, thanks for your time.

Your system was clean. You must have visited a website that is installing this junk. See if MBAM will clean it.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• If not given a choice select "custom scan".
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
• ( This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

I ran MBAM and it didn't show any file to be infected.

Next?

Thanks.