[SweetTech]

When you get a chance, I'd like for you withh the ComboFix instructions.

[Advertisements]

Okay, post instructions and I'll do it first thing tomorrow.

[jpleone]

Okay, post instructions and I'll do it first thing tomorrow.

[SweetTech]

Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

[jpleone]

Hi SweetTech,
I downloaded combo-fix but received a warning that it had detected AVG running (which I had removed over a month ago). Checked again in add/remove programs, no AVG. Found AVG 8.5 and 9 folders, so not sure how to proceed. Computer browser doesn't seem to be redirecting any more, but is running a little slower.

[SweetTech]

Please go ahead and Okay your way through the warnings from ComboFix that AVG is running.

[jpleone]

ComboFix 10-07-24.03 - Owner 07/25/2010 11:43:20.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1314 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\avdrn.dat
c:\documents and settings\Owner\Local Settings\Application Data\{08F479E5-5D58-4B1A-8A5F-EFF76A5A2ABD}
c:\documents and settings\Owner\Local Settings\Application Data\{08F479E5-5D58-4B1A-8A5F-EFF76A5A2ABD}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{08F479E5-5D58-4B1A-8A5F-EFF76A5A2ABD}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{08F479E5-5D58-4B1A-8A5F-EFF76A5A2ABD}\install.rdf
c:\windows\system32\certstore.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-24 22:52 . 2010-07-24 22:52 8832 ----a-w- c:\windows\system32\drivers\klakckhb.sys
2010-07-24 21:26 . 2010-07-24 22:55 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-24 21:00 . 2010-07-24 21:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-24 20:45 . 2010-07-24 20:50 -------- d-----w- c:\program files\UnHackMe
2010-07-24 20:40 . 2010-07-24 20:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-24 20:30 . 2010-07-24 20:30 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-07-24 20:30 . 2010-07-24 20:30 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-07-24 20:25 . 2010-07-24 20:26 -------- dc-h--w- c:\windows\ie8
2010-07-24 20:16 . 2010-07-24 20:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-24 20:16 . 2010-07-24 20:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2010-07-24 20:15 . 2010-07-24 20:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-07-24 20:15 . 2010-07-24 20:15 -------- d-----w- c:\program files\Common Files\Real
2010-07-24 20:14 . 2010-07-24 20:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(4)
2010-07-24 20:14 . 2010-07-24 20:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(3)
2010-07-24 19:12 . 2010-07-24 19:12 -------- d-----w- c:\program files\Alwil Software
2010-07-24 19:12 . 2010-07-24 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-24 18:52 . 2010-07-24 18:52 -------- d-----w- c:\program files\Trend Micro
2010-07-23 23:08 . 2010-07-24 20:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-07-23 21:53 . 2010-07-25 01:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-16 10:06 . 2010-07-24 20:15 -------- dc----w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-14 08:03 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 22:29 . 2010-07-06 17:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 21:24 . 2010-07-06 17:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 20:41 . 2010-07-24 20:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 20:41 . 2010-07-06 17:29 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}\Ad-AwareInstall.exe
2010-07-11 20:41 . 2010-07-11 20:41 -------- d-----w- c:\program files\Lavasoft
2010-07-06 23:17 . 2010-07-06 23:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 02:20 . 2002-09-03 16:53 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-07-25 00:12 . 2008-03-07 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 20:38 . 2008-03-14 16:59 -------- d-----w- c:\program files\Google
2010-07-24 20:18 . 2008-03-14 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-23 23:07 . 2008-03-14 00:59 -------- d-----w- c:\program files\PokerStars
2010-07-11 21:32 . 2009-10-27 16:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 20:41 . 2008-03-07 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-06 23:12 . 2008-03-07 20:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-06 23:12 . 2008-03-07 20:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-29 21:06 . 2008-03-07 20:53 -------- d-----w- c:\program files\CCleaner
2010-06-23 12:58 . 2010-06-23 12:58 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1CB.tmp.exe
2010-06-22 22:15 . 2010-06-22 22:15 1171456 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_stonebonus.884fe3f012cc21e9f4b94beccb344fe5.dll
2010-06-22 22:15 . 2010-06-22 22:15 1204224 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_bathbonus.eaf1477312e7ecb9b1c7aa0a26e6ac61.dll
2010-06-22 22:15 . 2010-06-22 22:15 1142784 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_bodywaxbonus.86b2e4bb4c8e68cbf84cdb6310c39218.dll
2010-06-22 22:15 . 2010-06-22 22:15 827392 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\p\playerinstantiatedchoosebonus.ceb25d7dda7b0effc207d3dec6e30288.dll
2010-06-22 22:15 . 2010-06-22 22:15 1290240 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_smoothiebonus.779ec9c8439f59a40852d4a998367c4f.dll
2010-06-22 22:15 . 2010-06-22 22:15 1196032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_massagebonus.0e575cb178075b87da73199c7e3bdcc1.dll
2010-06-22 22:08 . 2010-06-22 22:08 1024000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofychoicebonus_summerholiday.2f3c0065ff052710ed0c13651e2571da.dll
2010-06-22 22:07 . 2010-06-22 22:07 831488 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\r\racebonus.0a92bce3bdb7feb1970ec9894848e1ee.dll
2010-06-22 22:07 . 2010-06-22 22:07 1236992 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\k\kfm_kungfubonus.7648b1705a4c13b46555323f6f9957fe.dll
2010-06-22 21:58 . 2010-06-22 21:58 860160 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\scoopthecashbonus.bba34ca69d484ca056b3150cf3511c31.dll
2010-06-22 21:50 . 2010-06-22 21:50 1204224 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\multistagepickxofybonus.3a30a9c7b165f5e8a337ca88ed08906c.dll
2010-06-22 21:50 . 2010-06-22 21:50 98304 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakautoplayplugin.bd0995adc01c55d3f345d8fc81d6bf13.dll
2010-06-22 21:50 . 2010-06-22 21:50 49152 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakstrategylogic1.64d4f0467e0e777ddfbb02e7544f98fa.dll
2010-06-22 21:50 . 2010-06-22 21:50 192512 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakxxx.af25beaa0378c2b2eaa341b7d8c64966.dll
2010-06-22 21:50 . 2010-06-22 21:50 106496 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakstatsplugin.c622fc192c22f951a4bf27988c8c48e0.dll
2010-06-22 21:50 . 2010-06-22 21:50 417792 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakplugin.85c5094e4412e0647ba5f7a72219a89d.dll
2010-06-22 21:50 . 2010-06-22 21:50 126976 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakstrategyui1.c4a60b718047a7230c1f7eb62e24ac16.dll
2010-06-22 21:46 . 2010-06-22 21:46 41075 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\c\chiefsfortunebonus.c2bec570aab63ef04a9e9131551006f6.dll
2010-06-22 21:46 . 2010-06-22 21:46 1040384 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_novgao_09.0f4a9e5f0c3aacc5fd59c75d3646b44e.dll
2010-06-22 21:45 . 2010-06-22 21:45 1474560 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_novgao_09.bca283e127879ce59170c465ef11ba05.dll
2010-06-22 21:44 . 2010-06-22 21:44 421888 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\lua51host.6c8dcc3e9f55da70bf5ccd67df48f256.dll
2010-06-22 21:43 . 2010-06-22 21:43 897024 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_novgao_09.cf52962a5fbf37c5c088bd5d667653d4.dll
2010-06-22 21:43 . 2010-06-22 21:43 921600 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus_novgao_09.2d0e2f5fb79a1dee2f0dba3ac916277d.dll
2010-06-22 21:43 . 2010-06-22 21:43 618496 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_novgao_09.5e06bb19f897ab866a50c262ff639055.dll
2010-06-22 21:43 . 2010-06-22 21:43 679936 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_novgao_09.002d2269f327b0c9a9e9f327bc91130b.dll
2010-06-14 14:31 . 2008-03-06 15:39 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-26 15:48 . 2009-11-03 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-26 15:48 . 2009-11-05 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-26 13:10 . 2010-05-26 13:10 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-04-17 162584]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-5-15 229376]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-17 00:51 138008 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-26 19:27 16132608 ----a-w- c:\windows\RTHDCPL.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/11/2010 5:24 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/6/2009 10:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/6/2009 10:10 AM 108552]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 1:28 PM 1352832]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 4:17 AM 135664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 17:28]

2010-07-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-14 16:17]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 08:17]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cabd057488df76.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 08:17]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 192.0.0.5:8080
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-25 11:48:53
ComboFix-quarantined-files.txt 2010-07-25 15:48

Pre-Run: 288,523,423,744 bytes free
Post-Run: 288,725,467,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 92047A522A00829C2EC2B719C5D37154

[SweetTech]

Hello,

ComboFix Script

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.geekstogo.com/forum/topic/282728-browser-redirect/page__view__findpost__p__1875441
Collect::
c:\windows\system32\drivers\klakckhb.sys
c:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
File::
c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1CB.tmp.exe

DDS::
uInternet Settings,ProxyServer = 192.0.0.5:8080

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Make sure that the option "Remove found threats" is Unchecked
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin
  scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as
  ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

NEXT:



Security Check
Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan

• Please reopen on your desktop.
• Copy and Paste the following bolded text into the textbox.
  
  

  
  netsvcs
  drivers32 /all
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\*.wt
  %systemroot%\system32\*.ruy
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5
  %systemroot%\system32\ws2help.dll /md5
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  

• Push
• A report will open. Copy and Paste that report in your next reply.

Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that is produced after running the ComboFix script.
3. The log that is produced after running the MalwareBytes' Anti-Malware scan.
4. The log that is produced after running the ESET Online Virus Scanner.
5. The log that is produced after running the SecurityCheck scan.
6. The log that is produced after running the OTL scan.
7. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Cheers,
SweetTech.

[jpleone]

SweetTech,

I have disabled Ad-aware, can't figure out how to disable Spy-Bot (although I don't have teatimer), so should I just remove it prior to following your instructions. Also, what about the Avg that showed as running?

[SweetTech]

Don't worry about disabling Spybot. Also don't worry about AVG for now.

[jpleone]

Was able to do the combo fix and malware scan, but unable to perform ESET scan, keep getting IE error "A malfunctioning or malicious add-on has caused Internet Explorer to close this webpage"

#2
ComboFix 10-07-24.04 - Owner 07/25/2010 16:52:29.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1142 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1CB.tmp.exe"

file zipped: c:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
file zipped: c:\windows\system32\drivers\klakckhb.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1CB.tmp.exe
c:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
c:\windows\system32\drivers\klakckhb.sys

.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-24 21:26 . 2010-07-24 22:55 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-24 21:00 . 2010-07-24 21:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-24 20:45 . 2010-07-24 20:50 -------- d-----w- c:\program files\UnHackMe
2010-07-24 20:40 . 2010-07-24 20:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-24 20:30 . 2010-07-24 20:30 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-07-24 20:30 . 2010-07-24 20:30 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-07-24 20:25 . 2010-07-24 20:26 -------- dc-h--w- c:\windows\ie8
2010-07-24 20:16 . 2010-07-24 20:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-24 20:16 . 2010-07-24 20:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2010-07-24 20:15 . 2010-07-24 20:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-07-24 20:15 . 2010-07-24 20:15 -------- d-----w- c:\program files\Common Files\Real
2010-07-24 20:14 . 2010-07-24 20:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(4)
2010-07-24 20:14 . 2010-07-24 20:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(3)
2010-07-24 19:12 . 2010-07-24 19:12 -------- d-----w- c:\program files\Alwil Software
2010-07-24 19:12 . 2010-07-24 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-24 18:52 . 2010-07-24 18:52 -------- d-----w- c:\program files\Trend Micro
2010-07-23 23:08 . 2010-07-24 20:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-07-23 21:53 . 2010-07-25 01:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-16 10:06 . 2010-07-24 20:15 -------- dc----w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-14 08:03 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 22:29 . 2010-07-06 17:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 21:24 . 2010-07-06 17:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 20:41 . 2010-07-24 20:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 20:41 . 2010-07-06 17:29 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}\Ad-AwareInstall.exe
2010-07-11 20:41 . 2010-07-11 20:41 -------- d-----w- c:\program files\Lavasoft
2010-07-06 23:17 . 2010-07-06 23:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 02:20 . 2002-09-03 16:53 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-07-25 00:12 . 2008-03-07 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 20:38 . 2008-03-14 16:59 -------- d-----w- c:\program files\Google
2010-07-24 20:18 . 2008-03-14 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-23 23:07 . 2008-03-14 00:59 -------- d-----w- c:\program files\PokerStars
2010-07-11 21:32 . 2009-10-27 16:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 20:41 . 2008-03-07 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-06 23:12 . 2008-03-07 20:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-06 23:12 . 2008-03-07 20:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-29 21:06 . 2008-03-07 20:53 -------- d-----w- c:\program files\CCleaner
2010-06-22 22:15 . 2010-06-22 22:15 1171456 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_stonebonus.884fe3f012cc21e9f4b94beccb344fe5.dll
2010-06-22 22:15 . 2010-06-22 22:15 1204224 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_bathbonus.eaf1477312e7ecb9b1c7aa0a26e6ac61.dll
2010-06-22 22:15 . 2010-06-22 22:15 1142784 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_bodywaxbonus.86b2e4bb4c8e68cbf84cdb6310c39218.dll
2010-06-22 22:15 . 2010-06-22 22:15 827392 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\p\playerinstantiatedchoosebonus.ceb25d7dda7b0effc207d3dec6e30288.dll
2010-06-22 22:15 . 2010-06-22 22:15 1290240 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_smoothiebonus.779ec9c8439f59a40852d4a998367c4f.dll
2010-06-22 22:15 . 2010-06-22 22:15 1196032 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\w\wealthspa_massagebonus.0e575cb178075b87da73199c7e3bdcc1.dll
2010-06-22 22:08 . 2010-06-22 22:08 1024000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofychoicebonus_summerholiday.2f3c0065ff052710ed0c13651e2571da.dll
2010-06-22 22:07 . 2010-06-22 22:07 831488 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\r\racebonus.0a92bce3bdb7feb1970ec9894848e1ee.dll
2010-06-22 22:07 . 2010-06-22 22:07 1236992 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\k\kfm_kungfubonus.7648b1705a4c13b46555323f6f9957fe.dll
2010-06-22 21:58 . 2010-06-22 21:58 860160 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\scoopthecashbonus.bba34ca69d484ca056b3150cf3511c31.dll
2010-06-22 21:50 . 2010-06-22 21:50 1204224 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\multistagepickxofybonus.3a30a9c7b165f5e8a337ca88ed08906c.dll
2010-06-22 21:50 . 2010-06-22 21:50 98304 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakautoplayplugin.bd0995adc01c55d3f345d8fc81d6bf13.dll
2010-06-22 21:50 . 2010-06-22 21:50 49152 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakstrategylogic1.64d4f0467e0e777ddfbb02e7544f98fa.dll
2010-06-22 21:50 . 2010-06-22 21:50 192512 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakxxx.af25beaa0378c2b2eaa341b7d8c64966.dll
2010-06-22 21:50 . 2010-06-22 21:50 106496 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakstatsplugin.c622fc192c22f951a4bf27988c8c48e0.dll
2010-06-22 21:50 . 2010-06-22 21:50 417792 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakplugin.85c5094e4412e0647ba5f7a72219a89d.dll
2010-06-22 21:50 . 2010-06-22 21:50 126976 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjghighstreakstrategyui1.c4a60b718047a7230c1f7eb62e24ac16.dll
2010-06-22 21:46 . 2010-06-22 21:46 41075 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\c\chiefsfortunebonus.c2bec570aab63ef04a9e9131551006f6.dll
2010-06-22 21:46 . 2010-06-22 21:46 1040384 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_novgao_09.0f4a9e5f0c3aacc5fd59c75d3646b44e.dll
2010-06-22 21:45 . 2010-06-22 21:45 1474560 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_novgao_09.bca283e127879ce59170c465ef11ba05.dll
2010-06-22 21:44 . 2010-06-22 21:44 421888 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\lua51host.6c8dcc3e9f55da70bf5ccd67df48f256.dll
2010-06-22 21:43 . 2010-06-22 21:43 897024 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_novgao_09.cf52962a5fbf37c5c088bd5d667653d4.dll
2010-06-22 21:43 . 2010-06-22 21:43 921600 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus_novgao_09.2d0e2f5fb79a1dee2f0dba3ac916277d.dll
2010-06-22 21:43 . 2010-06-22 21:43 618496 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_novgao_09.5e06bb19f897ab866a50c262ff639055.dll
2010-06-22 21:43 . 2010-06-22 21:43 679936 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_novgao_09.002d2269f327b0c9a9e9f327bc91130b.dll
2010-06-14 14:31 . 2008-03-06 15:39 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-04-17 142104]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-04-17 162584]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-5-15 229376]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-17 00:51 138008 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-26 19:27 16132608 ----a-w- c:\windows\RTHDCPL.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/11/2010 5:24 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/6/2009 10:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/6/2009 10:10 AM 108552]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 1:28 PM 1352832]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 4:17 AM 135664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 17:28]

2010-07-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-14 16:17]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 08:17]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cabd057488df76.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 08:17]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-25 16:55:38
ComboFix-quarantined-files.txt 2010-07-25 20:55
ComboFix2.txt 2010-07-25 15:48

Pre-Run: 288,685,666,304 bytes free
Post-Run: 288,721,104,896 bytes free

- - End Of File - - 8C6A11973499F9B49CC89D15B24390DD
Upload was successful


#3
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4347

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/25/2010 5:08:44 PM
mbam-log-2010-07-25 (17-08-44).txt

Scan type: Quick scan
Objects scanned: 133234
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SweetTech]

Can you please try this scanner:

Kaspersky Online Scanner
Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[jpleone]

It won't download - needs "java framework 1.5"

[SweetTech]

AVP Tool by Kaspersky

IMPORTANT: Save these instructions so you can have access to them while in Safe Mode.

Download the AVP Tool by Kaspersky from Here & save it to your desktop. Be aware that this is a large file.... approximately 60mb.

• Reboot your computer into Safe Mode
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears
  Use your up arrow key to highlight Safe Mode then press Enter

• Double click the setup file to run it
• Click Next to continue
• Accept the License agreement then click Next
• It will by default install to your desktop folder. Click Next
• Once installed it will open a box. Click the Automatic scan tab
• Under Automatic scan make sure the following are checked:

• Hidden Startup Objects
• System Memory
• Disk Boot Sectors
• My Computer
• Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear

• Click on Scan at the top right hand corner
• It will automatically neutralize any objects found
• If some objects are left un-neutralized, click on Neutralize all
• If you receive a message that an item cannot be neutralized then choose the Delete option when prompted
• Once finished click the Reports button at the bottom
• Name the file Kas & save it somewhere convenient like your desktop
• Copy/paste only the detected Virus\malware from the report. It will be at the very top under Detected & post those results in your next reply
  

  Note: This program will self uninstall when you close it so save the log before closing it

[jpleone]

SweetTech,

No luck - when I tried the link, I got "FORBIDDEN".

[SweetTech]

Lets try this scanner below:

Please download Dr.Web CureIt . Save it to your desktop:

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
• This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow at the right, and the scan will start.
• Click No to All if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
• Please post the Dr.Web.txt report in your next reply
• Close Dr.Web Cureit.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.