Hi , I have a google redirect problem as many others, help is greatly appreciated. I am posting my hijack this log. Thanks in advance

ohh right i didnt post it i was asked not too

Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2 Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save. 1. Double Click tool.exe to install the application. 2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. 3. If an update is found, it will download and install the latest version. 4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. 5. When the scan is complete, click OK, then Show Results to view the results. 6. Make sure that everything found is checked, and click Remove Selected. 7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. 8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 9. Copy&Paste the entire report in your next reply. If Malwarebytes installed but will not run navigate to this folder: C:\Programs Files\Malwarebytes' AntiMalware Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again. Please post your Hijack This log.

Hey heres the malwarebytes log, also i have a question"How did i pick it up?" thanks I ran malware twice heres the 1 that showed up infected Malwarebytes' Anti-Malware 1.36 Database version: 1945 Windows 5.1.2600 Service Pack 2 5/7/2009 10:07:45 PM mbam-log-2009-05-07 (22-07-45).txt Scan type: Quick Scan Objects scanned: 71835 Time elapsed: 4 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\WWShow (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\Jcore (Trojan.BHO) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\HP_Administrator\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HIJACKTHIS LOG thanks again Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:29:35 PM, on 5/7/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\arservice.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\ARPWRMSG.exe C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Steam\Steam.exe C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HP\KBD\KBD.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\system\hpsysdrv.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T... R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?T... R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.exe O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.exe (User 'Default user') O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Looks like you have two antivirus programs installed, Avir and Norton. That is not a good idea as they will conflict and cause you problems, you should decide which one you like and uninstall the other. Your java is out of date and may have been exploited. Download the latest version of java from this link Java Click on the JRE 6 Update 13 download button. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save. Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your Avir/Norton antivirus, Ad-Aware and any other antispyware that you may have. Restart the computer before getting back online. 2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet.

Thanks for the step by step instructions, I followed them accordingly up to the step up to restarting my pc to get the anti virus running and keeping the anti spy ware disabled. Heres the combofix log ComboFix 09-05-07.06 - HP_Administrator 05/08/2009 0:10.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.567 [GMT -4:00] Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\HP_Administrator\Local Settings\Temporary Internet Files\Cpvff.stt c:\windows\Temp\111898174.exe c:\windows\Temp\138929424.exe c:\windows\Temp\297523174.exe c:\windows\wiaserviv.log D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 ))))))))))))))))))))))))))))))) . 2009-05-08 03:48 . 2009-05-08 03:47 410984 ----a-w c:\windows\system32\deploytk.dll 2009-05-08 03:44 . 2009-05-08 03:49 -------- d-----w c:\windows\system32\CatRoot_bak 2009-05-08 01:33 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-05-08 01:33 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-07 03:46 . 2009-05-08 03:40 -------- d-sh--r c:\windows\system32\dllcache 2009-05-07 03:29 . 2009-05-07 03:29 -------- d-----w c:\program files\Trend Micro 2009-05-07 01:21 . 2009-05-08 03:28 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory 2009-05-07 01:20 . 2006-09-27 01:38 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intuit 2009-05-07 01:20 . 2006-09-27 02:06 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Symantec 2009-05-07 01:20 . 2006-09-27 01:35 -------- d-----w c:\windows\system32\config\systemprofile\WINDOWS 2009-05-06 22:25 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-05-06 22:25 . 2009-05-06 22:25 -------- d-----w c:\program files\Avira 2009-05-06 22:25 . 2009-05-06 22:25 -------- d-----w c:\documents and settings\All Users\Application Data\Avira 2009-05-06 03:01 . 2009-05-06 22:32 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\ptidle 2009-05-03 02:02 . 2009-05-03 02:03 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\TVU Networks 2009-05-02 08:49 . 2009-05-02 08:58 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\FullTiltPoker . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-08 04:06 . 2007-01-19 23:26 -------- d-----w c:\program files\Steam 2009-05-08 03:47 . 2006-09-27 00:54 -------- d-----w c:\program files\Java 2009-05-08 03:39 . 2006-09-27 01:58 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-05-08 01:33 . 2009-02-21 18:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-05-08 01:21 . 2006-09-27 01:54 -------- d-----w c:\program files\Yahoo! 2009-05-07 01:23 . 2009-05-07 01:23 1852 --sha-r c:\windows\system32\drivers\103C_HP_CPC_RC675AA-ABA s7620n_YC_0Pavi_QMXF648_E64NAemMPA4_48_IMAGNETITE_SASUSTeK Computer INC._V1.02_B3.01_T060712_WXP2_L409_M959_J250_7Intel_8T1350_91.87_#070118_N10EC8139_Z14F12F20_G10025A62.MRK 2009-05-06 22:20 . 2007-07-16 13:01 -------- d-----w c:\program files\Full Tilt Poker 2009-05-03 02:03 . 2008-11-09 03:40 -------- d-----w c:\program files\TVUPlayer 2009-04-11 03:39 . 2007-07-03 09:58 -------- d-----w c:\program files\Google 2009-04-11 03:36 . 2007-05-26 23:36 -------- d-----w c:\program files\Azureus 2009-03-14 14:11 . 2008-10-26 12:34 -------- d-----w c:\program files\SopCast 2009-03-12 22:27 . 2009-03-12 22:27 -------- d-----w c:\program files\Broderbund 2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll . ------- Sigcheck ------- [-] 2005-03-14 08:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2004-08-10 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys [-] 2005-03-14 07:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\$NtUninstallKB917953$\tcpip.sys [7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2005-03-14 07:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\$NtUninstallKB951748$\tcpip.sys [-] 2005-03-14 07:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\SoftwareDistribution\Download\2ad1413c5dc0d16e6d56d3e6ca94ed48\backup\sp2gdr\tcpip.sys [-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys [-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys [-] 2005-03-14 07:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\system32\dllcache\tcpip.sys [-] 2005-03-14 07:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\system32\drivers\tcpip.sys [7] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe [7] 2006-02-21 03:36 2057984 501C033D08AC37C4BE751633AB02197C c:\windows\$hf_mig$\KB914882\SP2QFE\ntkrnlpa.exe [7] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe [-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe [-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe [-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe [-] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe [-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe [-] 2008-08-14 19:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe [7] 2004-08-10 11:00 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtUninstallKB914882$\ntkrnlpa.exe [7] 2006-02-21 03:00 2015744 39FDB2C5E26F34E19376DC0106B8E178 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe [-] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe [7] 2007-02-28 08:38 2015744 A58AC1C6199EF34228ABEE7FC057AE09 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe [-] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\Driver Cache\i386\ntkrnlpa.exe [-] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe [-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe [-] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe [-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe [-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe [-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ntkrnlpa.exe [-] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\system32\ntkrnlpa.exe [7] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe [7] 2006-02-21 04:01 2180992 DF4D09B676964646FA166A78C816B4C3 c:\windows\$hf_mig$\KB914882\SP2QFE\ntoskrnl.exe [7] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe [-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe [-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe [-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe [-] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe [-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe [-] 2008-08-14 20:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe [7] 2004-08-10 11:00 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtUninstallKB914882$\ntoskrnl.exe [7] 2006-02-21 03:27 2136064 F2915B67B9989C5DA164D031338821DC c:\windows\$NtUninstallKB931784$\ntoskrnl.exe [-] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe [7] 2007-02-28 09:08 2136064 1220FAF071DEA8653EE21DE7DCDA8BFD c:\windows\$NtUninstallKB956841$\ntoskrnl.exe [-] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\Driver Cache\i386\ntoskrnl.exe [-] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe [-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe [-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe [-] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe [-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe [-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ntoskrnl.exe [-] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\system32\ntoskrnl.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "Steam"="c:\program files\Steam\Steam.exe" [2009-04-09 1410296] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112] "Recguard"="c:\windows\SMINST\RECGUARD.exe" [2005-07-23 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552] "HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-27 180269] "ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-14 16239616] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Steam\\steamapps\\litvinal24\\counter-strike source\\hl2.exe"= R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/6/2009 6:25 PM 108289] . - - - - ORPHANS REMOVED - - - - HKLM-Run-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe HKLM-Run-PCDrProfiler - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop mStart Page = hxxp://www.yahoo.com mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\x2udswh8.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p= FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p= FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-08 00:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(752) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-05-08 0:16 ComboFix-quarantined-files.txt 2009-05-08 04:15 Pre-Run: 203,586,371,584 bytes free Post-Run: 207,635,496,960 bytes free 175 --- E O F --- 2009-05-08 03:38