Virus affecting my seach engines! please help!!!

[pogiepnoy]

my search engine (yahoo and google, etc.) will redirect me to another website after searching for a particular topic, please help, it does it for both firefox and ie. its getting very annoying.

John

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:23 AM, on 3/10/2009
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{617E9727-9A80-4453-819D-61E542CACF9A}: NameServer = 85.255.113.108,85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7FF2B18-DBC5-42BE-8CF5-2AEB8A7CB7AD}: NameServer = 85.255.113.108,85.255.112.197
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.108,85.255.112.197
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.108,85.255.112.197
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 12453 bytes

[pogiepnoy]

anybody?

[paudashlake]

Be patient.  That is a pretty long list and it will take our professionals a while to investigate all of it.

[evilfantasy]

Download SmitfraudFix (by S!Ri) to your Desktop.

• Extract all the files to your Desktop.
• A folder named SmitfraudFix will be created on your Desktop.

• Open the SmitfraudFix folder and double-click smitfraudfix.cmd

• Select option #1 - Search by typing 1 and press Enter
  • This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
  • When it is done, the results of the scan will be displayed and it will create a log named rapport.txt
    • This is in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
  • Please attach that log in your next reply.

• Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

[pogiepnoy]

when i try the smitfraudfix it says "access is denied"

[evilfantasy]

You might want to print out the instructions in blue text as the HijackThis instructions may cause you to loose your internet connection.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O17 - HKLM\System\CCS\Services\Tcpip\..\{617E9727-9A80-4453-819D-61E542CACF9A}: NameServer = 85.255.113.108,85.255.112.197
• O17 - HKLM\System\CCS\Services\Tcpip\..\{B7FF2B18-DBC5-42BE-8CF5-2AEB8A7CB7AD}: NameServer = 85.255.113.108,85.255.112.197
• O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.108,85.255.112.197
• O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.108,85.255.112.197

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

<<Start Print>>

Go to Start > Control Panel - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

* Double-click the Network Connections icon.
* Right-click the Local Area Connection icon and select Properties.
* Highlight Internet Protocol (TCP/IP) and click the Properties button.
* Be sure Obtain DNS server address automatically is selected.
* OK your way out.

Go to Start > Run and type in cmd
Click OK

* This will open a command prompt.
* Type the following line in the command window:
 
 ipconfig /flushdns (note the space between ipconfig and /)

* Press Enter on the keyboard.
* Exit the command window

Now restart your computer.

<<End Print>>

----------

Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

----------

Next post please add:

MBAM log
ComboFix log

[pogiepnoy]

Malwarebytes' Anti-Malware 1.34
Database version: 1838
Windows 6.0.6000

3/11/2009 9:51:54 PM
mbam-log-2009-03-11 (21-51-54).txt

Scan type: Quick Scan
Objects scanned: 66323
Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\VideoTools (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VideoTools (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b7ff2b18-dbc5-42be-8cf5-2aeb8a7cb7ad}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b7ff2b18-dbc5-42be-8cf5-2aeb8a7cb7ad}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b7ff2b18-dbc5-42be-8cf5-2aeb8a7cb7ad}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.108,85.255.112.197 -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Pogiepnoy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoTools (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoTools (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\VideoTools (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoTools\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

[pogiepnoy]

ComboFix 09-03-10.03 - Pogiepnoy 2009-03-11 22:00:47.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.3070.2050 [GMT -5:00]
Running from: c:\users\Pogiepnoy\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090311-1] *On-access scanning enabled* (Updated)
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *disabled*
 * Created a new restore point
.
ADS - Windows: deleted 24 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Pogiepnoy\AppData\Roaming\inst.exe
c:\windows\system32\KBL.LOG
c:\windows\system32\Pncrt.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
(((((((((((((((((((((((((   Files Created from 2009-02-12 to 2009-03-12  )))))))))))))))))))))))))))))))
.

2009-03-11 21:52 . 2009-03-11 21:52   61,440   --a------   c:\windows\System32\drivers\qdxvcq.sys
2009-03-11 21:47 . 2009-03-11 21:47   <DIR>   d--------   c:\users\Pogiepnoy\AppData\Roaming\Malwarebytes
2009-03-11 21:47 . 2009-03-11 21:47   <DIR>   d--------   c:\users\All Users\Malwarebytes
2009-03-11 21:47 . 2009-03-11 21:47   <DIR>   d--------   c:\programdata\Malwarebytes
2009-03-11 21:47 . 2009-03-11 21:47   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-03-11 21:47 . 2009-02-11 10:19   38,496   --a------   c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-11 21:47 . 2009-02-11 10:19   15,504   --a------   c:\windows\System32\drivers\mbam.sys
2009-03-10 10:03 . 2009-03-10 10:03   <DIR>   d--------   c:\program files\Trend Micro
2009-03-05 00:44 . 2009-01-18 16:35   15,688   --a------   c:\windows\System32\lsdelete.exe
2009-03-05 00:38 . 2009-01-18 16:30   64,160   --a------   c:\windows\System32\drivers\Lbd.sys
2009-03-05 00:37 . 2009-03-05 00:37   <DIR>   d--h-c---   c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-05 00:37 . 2009-03-05 00:37   <DIR>   d--h-c---   c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-05 00:37 . 2009-03-05 00:37   <DIR>   d--------   c:\program files\Lavasoft
2009-03-04 12:34 . 2009-03-04 12:34   <DIR>   d--------   C:\AdAware2008-whymaster
2009-03-01 03:02 . 2009-03-05 00:38   <DIR>   d----c---   c:\windows\System32\DRVSTORE
2009-02-28 11:48 . 2008-11-26 12:17   51,792   --a------   c:\windows\System32\drivers\aswMonFlt.sys
2009-02-25 12:25 . 2009-02-25 12:25   <DIR>   d--------   c:\users\Pogiepnoy\AppData\Roaming\InstallShield
2009-02-25 12:25 . 2009-02-25 12:25   <DIR>   d--------   C:\Intel
2009-02-25 12:25 . 2008-04-15 18:53   312,344   --a------   c:\windows\System32\drivers\iaStor.sys
2009-02-22 03:47 . 2009-02-22 03:47   <DIR>   d--------   c:\program files\VSO
2009-02-22 03:47 . 2006-09-29 12:24   217,127   --a------   c:\windows\System32\drv43260.dll
2009-02-22 03:47 . 2006-09-29 12:25   208,935   --a------   c:\windows\System32\drv33260.dll
2009-02-22 03:47 . 2006-09-29 12:26   176,165   --a------   c:\windows\System32\drv23260.dll
2009-02-14 10:31 . 2009-02-17 22:40   <DIR>   d--------   c:\program files\AviSynth 2.5
2009-02-12 11:33 . 2009-02-12 11:33   <DIR>   d--------   c:\program files\Apple Software Update
2009-02-12 10:20 . 2009-02-18 20:49   <DIR>   d--------   C:\ConverterOutput
2009-02-12 10:08 . 2009-02-12 10:08   <DIR>   d--------   c:\program files\Cucusoft
2009-02-12 10:08 . 2007-03-25 01:51   3,049,984   --a------   c:\windows\System32\libavcodec.dll
2009-02-12 10:08 . 2007-03-25 22:40   2,174,976   --a------   c:\windows\System32\ffdshow.ax
2009-02-12 10:08 . 2004-01-16 16:50   516,096   --a------   c:\windows\System32\CLVSDS.ax
2009-02-12 10:08 . 2007-03-25 01:51   404,480   --a------   c:\windows\System32\libmplayer.dll
2009-02-12 10:08 . 2008-02-03 22:26   364,544   --a------   c:\windows\System32\cdg.dll
2009-02-12 10:08 . 2006-09-27 18:46   348,160   --a------   c:\windows\System32\cdga.dll
2009-02-12 10:08 . 2007-01-01 06:30   200,704   --a------   c:\windows\System32\TomsMoComp_ff.dll
2009-02-12 10:08 . 2006-07-08 05:07   114,688   --a------   c:\windows\System32\PropListCtrl.ocx
2009-02-12 10:08 . 2007-03-25 01:51   114,688   --a------   c:\windows\System32\libmpeg2_ff.dll
2009-02-12 10:08 . 2003-03-25 07:49   98,304   --a------   c:\windows\System32\L3CODECX.AX
2009-02-12 10:08 . 2004-09-10 14:50   34,820   --a------   c:\windows\System32\ffdshow.reg
2009-02-12 10:08 . 2006-07-17 22:42   14,909   --a------   c:\windows\System32\A_reg.reg
2009-02-12 00:48 . 2009-02-12 00:48   <DIR>   d--------   c:\users\Pogiepnoy\AppData\Roaming\NeroDigital(TM)

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 02:52   1,108   ----a-w   c:\program files\xijainer.txt
2009-03-11 18:54   ---------   d-----w   c:\program files\Google
2009-03-10 04:39   ---------   d-----w   c:\users\Pogiepnoy\AppData\Roaming\LimeWire
2009-03-05 05:37   ---------   d-----w   c:\programdata\Lavasoft
2009-03-03 06:13   ---------   d-----w   c:\users\Pogiepnoy\AppData\Roaming\BitTorrent
2009-03-01 18:17   ---------   d-----w   c:\program files\Microsoft Silverlight
2009-02-25 17:25   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-02-25 17:23   ---------   d-----w   c:\program files\Hewlett-Packard
2009-02-25 17:20   ---------   d-----w   c:\users\Pogiepnoy\AppData\Roaming\Hewlett-Packard
2009-02-25 17:18   ---------   d-----w   c:\program files\HP
2009-02-24 20:43   ---------   d-----w   c:\program files\Common Files\Nero
2009-02-24 20:42   ---------   d-----w   c:\programdata\Nero
2009-02-24 20:29   ---------   d-----w   c:\program files\Nero
2009-02-22 16:46   ---------   d-----w   c:\users\Pogiepnoy\AppData\Roaming\Vso
2009-02-22 16:33   ---------   d-----w   c:\programdata\vsosdk
2009-02-22 08:47   47,360   ----a-w   c:\users\Pogiepnoy\AppData\Roaming\pcouffin.sys
2009-02-19 02:55   ---------   d-----w   c:\programdata\Ahead
2009-02-11 05:58   ---------   d-----w   c:\users\Pogiepnoy\AppData\Roaming\Nero
2009-02-11 05:27   ---------   d-----w   c:\program files\Common Files\LightScribe
2009-02-03 14:43   ---------   d-----w   c:\users\Pogiepnoy\AppData\Roaming\ZoomBrowser EX
2009-02-03 14:43   ---------   d-----w   c:\programdata\ZoomBrowser
2009-01-29 01:27   ---------   d-----w   c:\users\Pogiepnoy\AppData\Roaming\Intuit
2009-01-29 01:24   ---------   d-----w   c:\program files\Common Files\AnswerWorks 5.0
2009-01-29 01:20   ---------   d-----w   c:\programdata\Intuit
2009-01-29 01:20   ---------   d-----w   c:\program files\Common Files\Intuit
2009-01-29 01:17   ---------   d-----w   c:\program files\TurboTax
2009-01-28 02:45   ---------   d-----w   c:\programdata\Microsoft Help
2009-01-28 02:43   0   ----a-w   c:\users\Pogiepnoy\AppData\Roaming\wklnhst.dat
2009-01-28 02:43   ---------   d-----w   c:\users\Pogiepnoy\AppData\Roaming\Template
2009-01-20 04:56   ---------   d-----w   c:\program files\Alwil Software
2009-01-15 04:16   826,368   ----a-w   c:\windows\System32\wininet.dll
2009-01-15 04:16   56,320   ----a-w   c:\windows\System32\iesetup.dll
2009-01-15 04:16   52,736   ----a-w   c:\windows\AppPatch\iebrshim.dll
2009-01-15 04:15   26,624   ----a-w   c:\windows\System32\ieUnatt.exe
2009-01-11 01:18   2,560   ----a-w   c:\windows\_MSRSTRT.EXE
2008-12-12 09:13   174   --sha-w   c:\program files\desktop.ini
2008-12-10 20:44   27,715   ----a-w   c:\users\Pogiepnoy\AppData\Roaming\nvModes.dat
2008-11-06 20:24   27,335   ----a-w   c:\users\Guest\AppData\Roaming\nvModes.dat
2008-05-07 18:54   16,384   --sha-w   c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-05-07 18:54   32,768   --sha-w   c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-05-07 18:54   16,384   --sha-w   c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-05-20 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-03 171448]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 c:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-09-30 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 c:\windows\RtHDVCpl.exe]

c:\users\Pogiepnoy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-11-26 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"c:\\Program Files\\Vongo\\VongoService.exe"= c:\program files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{334D7D46-1D66-4022-9908-87E1DE0A7302}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BB94DB1A-C77D-4DCA-92AD-54C57CE00BEE}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{88901493-73B5-4508-B2C1-6B1321D319F1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A61FFC8C-9F51-4B08-85B3-F734AEE8DD31}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{024EC2AC-121D-42C7-B3BF-433BBDDF1748}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{7B7D14B1-C7CA-4E65-A56B-B4E6D0B1FF4B}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{547192FF-6A40-4864-9D00-AFECDB174310}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{391B6388-EF39-4888-80F0-848D80BEDBAC}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F03776F8-FA59-4F49-A87C-38E4C8EA9856}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{83C3586C-66B5-4931-BFDD-44D97CCBE7FF}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A6CFE4D9-FAAA-4D67-8343-52AB596F832C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7A1BEE83-40A8-4B39-84FD-D3F4B49EEC4B}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{66459CF1-B747-45AE-AFCF-EF14DBF64543}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{A801C589-D469-43FD-9280-CDEB9D385321}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{11C9C883-EE8D-420F-824B-9A1F06685F91}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{EF707709-98A0-4174-83F9-1DC88E2F5A79}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{8AEC33BB-4EC7-4486-9232-BE55FEB49A1C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7B75E53A-23A1-4AF4-9DE5-D72AE356051A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{32C6CAC1-FAA7-4FB2-9DA1-4E3F767B50A9}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{9EA35A92-602D-4785-AC73-493FBCEA9E45}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{F2D57451-3400-44A7-A6F7-94EF78337E22}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"UDP Query User{ACABB52C-C915-4B5A-8594-948F3E39EF53}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"TCP Query User{096CF571-8901-42E7-A074-8057E020A03B}c:\\programdata\\kaspersky lab setup files\\kaspersky internet security 2009\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky internet security 2009\english\setup.exe:Kaspersky Internet Security 2009 Setup
"UDP Query User{DEBE3535-3D46-43B8-8A05-091EF68764C0}c:\\programdata\\kaspersky lab setup files\\kaspersky internet security 2009\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky internet security 2009\english\setup.exe:Kaspersky Internet Security 2009 Setup
"{1B42858B-6995-442A-9808-E3CD0215FA8A}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{65DA6737-8794-43C8-99D8-F1C99EB66FF2}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{DAEB025E-641D-4BCD-B977-271370E72D5C}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{0A32D667-E6D0-49E3-BD1E-1C96F19213F1}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{CC1AC257-E360-486D-BBA3-D7442367ED45}c:\\program files\\v cast music with rhapsody\\rhapsody.exe"= UDP:c:\program files\v cast music with rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{518D7E5D-AF42-420A-B296-64A3E8E2DA64}c:\\program files\\v cast music with rhapsody\\rhapsody.exe"= TCP:c:\program files\v cast music with rhapsody\rhapsody.exe:RealNetworks Rhapsody
"TCP Query User{E327C47E-571F-433F-B13F-562736882194}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{63EEF749-CF70-479D-A420-CE64070E83F3}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{B1022E17-A7CB-45E9-AD0A-A450FB33ADC9}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"UDP Query User{86C67030-271C-47EF-AE44-C27876C55040}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:µTorrent

[pogiepnoy]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-03-05 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2009-02-28 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2009-02-28 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2009-02-28 51792]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-10-01 24652]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aed95aa0-451b-11dd-9a7d-001e682a8e86}]
\shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aed95aa5-451b-11dd-9a7d-001e682a8e86}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:34]

2008-05-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-03-11 c:\windows\Tasks\User_Feed_Synchronization-{599A7A6A-739C-44AE-AC80-05932EC126DC}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 04:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Pogiepnoy\AppData\Roaming\Mozilla\Firefox\Profiles\9gjrsg3f.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - aol.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Pogiepnoy\Program Files\DNA\plugins\npbtdna.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 22:04:57
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-11 22:06:43
ComboFix-quarantined-files.txt  2009-03-12 03:06:40

Pre-Run: 80,087,375,872 bytes free
Post-Run: 82,329,292,800 bytes free

267   --- E O F ---   2009-03-01 09:03:38

[evilfantasy]

The real-time protection of two antivirus programs may conflict with each other and cause the following:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
3) Performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.

Please uninstall either Kaspersky or Avast before you continue.

----------

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
Viewpoint Manager Service

:reg

:files
c:\windows\System32\drivers\qdxvcq.sys

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.


How is the computer running now?

[pogiepnoy]

computer is running better, but i dont know if the moveit program ran correctly.
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Unable to stop service Viewpoint Manager Service .
========== REGISTRY ==========
========== FILES ==========
File move failed. c:\windows\System32\drivers\qdxvcq.sys scheduled to be moved on reboot.
========== COMMANDS ==========
File delete failed. C:\Users\POGIEP~1\AppData\Local\Temp\ehmsas.txt scheduled to be deleted on reboot.
File delete failed. C:\Users\POGIEP~1\AppData\Local\Temp\etilqs_a5C2QiyeOtzEFbWmfVRh scheduled to be deleted on reboot.
File delete failed. C:\Users\POGIEP~1\AppData\Local\Temp\VGX63E0.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03122009_010743

Files moved on Reboot...
File move failed. c:\windows\System32\drivers\qdxvcq.sys scheduled to be moved on reboot.
File move failed. C:\Users\POGIEP~1\AppData\Local\Temp\ehmsas.txt scheduled to be moved on reboot.
File C:\Users\POGIEP~1\AppData\Local\Temp\etilqs_a5C2QiyeOtzEFbWmfVRh not found!
C:\Users\POGIEP~1\AppData\Local\Temp\VGX63E0.tmp moved successfully.
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\Cache\_CACHE_001_ moved successfully.
C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\Cache\_CACHE_002_ moved successfully.
C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\Cache\_CACHE_003_ moved successfully.
C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\Pogiepnoy\AppData\Local\Mozilla\Firefox\Profiles\9gjrsg3f.default\urlclassifier3.sqlite moved successfully.

[evilfantasy]

Yes it worked for the main file we wanted to remove.

Go to

Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  
• Viewpoint Experience Technology

.
----------

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt3.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt3

----------

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

[pogiepnoy]

with the eset it says, "error: cannot initialize online scanner. administrator rights required.

But i am the administrator of my comp

[evilfantasy]

Try this one please.


This scanner works with Internet Explorer only!

Scan with the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

Once BitDefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report



This will save a file named bdscan.html I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)
 
You will have to upload the file online. The forums will not accept HTML.

Go to File Dropper

Click Upload
Locate the file and double click it.
Copy the download link and post it back here.

[pogiepnoy]

i got the est one to work
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3931 (20090312)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=02b8c8a957aa324c947f5acbc4661619
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-13 12:18:26
# local_time=2009-03-12 07:18:26 (-0600, Central Daylight Time)
# country="United States"
# osver=6.0.6000 NT
# scanned=549381
# found=0
# scan_time=3494