[Inactive] Link Redirects and Periodic Computer Crashes

[alan57]

I noticed today that some links I select redirect me to a google page. This is the redirect address I got from a news story link:
http://images.google.com/images?q=http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x600&section=623720
In the search window on this page is this address:
http://ad.yieldmanager.com/st?ad_type=iframe

Also, for a few months now my PC (running VISTA with IE 8) will periodically freeze up when IE 8 is open. I have to restart the PC (can't do a soft reboot, have to switch the computer off). I am not sure that this is a malware problem or if it is something beyond what can be diagnosed here.

HijackThis File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:27 PM, on 6/16/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Registry Mechanic\regmech.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5654
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11529 bytes

Thanks.

[1972vet]

I am not seeing any malware in the log but I do see a couple of issues. Your Java and Adobe Reader programs are out of date which creates a slight security risk. In addition, while you are a Vista user and have Windows Defender on board, there is no real need for using the Spybot Search and Destroy's Tea Timer function. Let's remove the Tea Timer function first:
Open Spybot Search and Destroy...

• Go to the Mode menu, and make sure "Advanced Mode" is selected
• On the left hand side, choose Tools -> Resident
• Uncheck "Resident TeaTimer" and OK any prompts
• Restart your computer.

Next please follow these steps to remove older version Java components:

1. Close any open programs you may have running, especially your web browser.
2. Click the Start-->Control Panel...under the Programs heading, select the link titled "Uninstall a program".
3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Uninstall" icon near the top of that window.
Not every version of Java will begin with "Java" so be sure to read each entry in the list.
Repeat step 3 as many times as necessary to remove all versions of Java.
**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.
4. Navigate to and delete:C:\Program Files\Java <=this folder if found
5. Then go to this page.
Scroll to the second download link..."Java SE Runtime Environment (JRE) 6 Update 14" and click the "Download" button to the right.
6. Check the box that says: "Accept License Agreement" the page will refresh and click on the link to download Windows Offline Installation with or without Multi-language. Save it to your desktop.
Then from your desktop double-click on the executable to install the newest version.

With this update, you would have no need in the future to uninstall Java before updating again. This version will notify you when updates are available and install the latest version, removing any older components. This feature began (I think) with update 10.

Next, please uninstall your version of Adobe Reader 8.0 and install the latest version Here.

Next, please disable Windows Defender to prevent any interference with HijackThis.

• Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
• Click on Tools, General Settings
• Under Real-time protection options, unselect the Turn on real-time protection check box
• Click Save

Remember to re-enable Real-time Protection again once we finish up.

Next, please run HijackThis again and check the box next to these entries:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

Close all windows now including this browser window...leaving only the HijackThis application window open, click the Fix Checked button.

Reboot the system and post back a fresh HijackThis log and advise how the system behaves for you now. Thanks!

[alan57]

Thanks for your help. I made the changes. It may be a couple days before I post back about any improvement because the crashes were random and some days they didn't happen at all - other days it might happen a few times. Also, the ad.yieldmanager redirect only happened occationally for some links - but when it did I couldn't view whatever link I was trying to open so it was annoying none-the-less. BTW, neither spybot or bitdefender was picking up anything.

Here is the new log file. Thanks again!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:28 PM, on 6/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5654
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10925 bytes

[1972vet]

This is the redirect address I got from a news story link...

But you didn't say what news story. The news story link you clicked on could well have been the suspect. Maybe not, but I have to say it could have been since you didn't include that link.

Also, for a few months now my PC (running VISTA with IE Cool will periodically freeze up when IE 8 is open. I have to restart the PC (can't do a soft reboot, have to switch the computer off). I am not sure that this is a malware problem or if it is something beyond what can be diagnosed here.

In Internet explorer, click the help button (upper right) then click "Online Support". In the left pane, click "Internet Explorer". Scroll down and highlight the "Troubleshooting" topic, then in the right pane, click the "Internet Explorer stops responding, stops working, or restarts " link. Following those instructions, click on the appropriate link to run through the Microsoft online troubleshooter.

BTW, neither spybot or bitdefender was picking up anything

I am of the opinion really, that your issue stems from a cookie placed by the ad.yieldmanager. Depending on what links you clicked, Spybot S&D may not be interested and neither would BitDefender. Have you tried cleaning up the browser and deleting cookies?

[alan57]

Happens randomly, today it happened while using Thesaurus.com. After doing a few searches it just switched to the ad.yieldmanager google page.

I went to the IE support page but nothing there applied. So far, no crashes since I made the updates and registary changes, but I haven't been using the PC much since last Friday. I will be today.

I used Panicware Sureclean to wipe out all the temp files and cookies. No, I hadn't cleaned house in a while. Something came up during the cleaning that I never saw before. I could not delete two systems files - when I answer yes to delete it causes Sureclean to crash every time and I have to restart the program. Unfortunately the path is so long for both that I can only see part of it in the Sureclean window. I tried doing a system search for a part of the path but came up empty. I will type the part from each I could see below, maybe you will recognize it:

... \=ist;kw=cordage;tid=18486;scat=words;scat=others;s ...

... \literature;scat=investing;pcat=business;pos=1;til ...


BTW thank you for your service to our country (72 vet). I am a Gold Star Father of a Marine KIA in Iraq.

Thanks for you help

[1972vet]

I don't know anything at all about the product "Panicware Sureclean" but I did find that the Secunia folks had issued a security advisory regarding a vulnerability.

Try changing your search engine default to 'Google' instead of Yahoo. Let me know if that makes the difference.

BTW thank you for your service to our country (72 vet). I am a Gold Star Father of a Marine KIA in Iraq.

You are quite welcome indeed Sir...and I am deeply sorry about your loss. Salute!

[alan57]

My default search engine has always been Google. I only use Yahoo for an email account.

The Sureclean program basically a disk clean-up program. I have not used it for a couple months. I also did a disk clean-up using the windows program. I did not get any messages about files that could not be removed. Then I ran Sureclean again and got the same prompts asking if I wanted to delete the same two files. Sureclean identifies them as read only system files. Unfortunately it does not offer visibility or navigation to them. Maybe they are not related - but they weren't picked up last time I ran it.

I'll be working the rest of the day on this PC. I'll check out the the security advisory and post back here either later this PM if I continue to see the redirect or in a couple days if I do not. So far, no crashes...

Thanks.

[1972vet]

Since hijackthis doesn't look at all the possibilities, let's use some other more advanced tools to take a deeper look:
Download DDS from here or here...save it to your desktop.

• Disable any script blocker that you may have running on board
• Double click dds.scr to run the tool
• When done, DDS will open two (2) logs
  • 1.  DDS.txt
  • 2. Attach.txt
• Save both reports to your desktop

Download GMER Rootkit Scanner from   here or  here.

• Extract the contents of the zipped file to your desktop
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
• In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All <--don't miss this one
• Then click the Scan button & wait for it to finish
• Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives.

Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.

...when finished, please post those logs back here. Thanks!

[alan57]

I found a suggestion given to someone else with the same redirect problem to remove a registry key identical to one in mine, so I removed it:

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll

I also uninstalled the error redirector program. So far since my last post I have not had the redirect issue. My PC locked up only once since - that was this morning, but my kid was on it yesterday so that may have been a RAM issue - don't know.

I followed the instructions on you last post and here are the logs. The ATTACH log file said to attach that file and not post it, so I attached that one. Hope that is correct.


DDS (Ver_09-06-26.01) - NTFSx86 
Run by Alan at 15:13:55.55 on Fri 06/26/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2942.1215 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)   {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
FW: BitDefender Firewall *enabled*   {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Panicware\SureClean Professional\SRClean.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Alan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://search.myheritage.com
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5654
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [Profiler] c:\program files\saitek\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\software\SaiMfd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\alan\appdata\roaming\mozilla\firefox\profiles\tcfu6bth.default\
FF - prefs.js: browser.search.selectedEngine - MyHeritage Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-2-17 1153368]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-12 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2009-5-12 182528]

=============== Created Last 30 ================

2009-06-20 16:34   410,984   a-------   c:\windows\system32\deploytk.dll
2009-06-18 11:02   90,112   a-------   c:\windows\unvise32.exe
2009-06-18 09:26   <DIR>   --d-----   c:\program files\iPod
2009-06-18 09:26   <DIR>   --d-----   c:\program files\iTunes
2009-06-16 22:01   <DIR>   --d-----   c:\users\alan\appdata\roaming\iPod Copy Expert
2009-06-16 22:01   <DIR>   --d-----   c:\program files\iPod Copy Expert
2009-06-16 15:18   <DIR>   --d-----   c:\program files\Trend Micro
2009-06-13 16:37   428,544   a-------   c:\windows\system32\EncDec.dll
2009-06-13 16:37   293,376   a-------   c:\windows\system32\psisdecd.dll
2009-06-13 16:37   217,088   a-------   c:\windows\system32\psisrndr.ax
2009-06-13 16:37   177,664   a-------   c:\windows\system32\mpg2splt.ax
2009-06-13 16:37   80,896   a-------   c:\windows\system32\MSNP.ax

==================== Find3M  ====================

2009-06-24 22:37   81,984   a-------   c:\windows\system32\bdod.bin
2009-06-18 09:23   143,360   a-------   c:\windows\inf\infstrng.dat
2009-06-18 09:23   86,016   a-------   c:\windows\inf\infstor.dat
2009-06-18 09:23   51,200   a-------   c:\windows\inf\infpub.dat
2009-05-26 06:45   116,841   a-------   c:\windows\hpqins00.dat
2009-05-09 01:50   915,456   a-------   c:\windows\system32\wininet.dll
2009-05-09 01:34   71,680   a-------   c:\windows\system32\iesetup.dll
2009-05-05 21:24   104,872   a-------   c:\users\alan\appdata\roaming\GDIPFONTCACHEV1.DAT
2009-04-28 15:45   815   a-------   C:\rtsr_eml_sr.dat
2009-04-28 15:45   141   a-------   C:\dwl.dat
2009-04-28 15:45   132   a-------   C:\httpdwl.dat
2009-04-23 08:43   784,896   a-------   c:\windows\system32\rpcrt4.dll
2009-04-23 08:42   636,928   a-------   c:\windows\system32\localspl.dll
2009-04-21 07:55   2,033,152   a-------   c:\windows\system32\win32k.sys
2008-12-01 17:50   0   a-------   c:\users\alan\appdata\roaming\wklnhst.dat
2008-07-04 14:39   174   a--sh---   c:\program files\desktop.ini
2008-07-04 14:31   665,600   a-------   c:\windows\inf\drvindex.dat
2006-11-02 08:42   287,440   a-------   c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42   287,440   a-------   c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42   30,674   a-------   c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42   30,674   a-------   c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20   287,440   a-------   c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20   287,440   a-------   c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20   30,674   a-------   c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20   30,674   a-------   c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:14:44.43 ===============

MER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-26 16:03:27
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT            \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys  ZwOpenProcess [0x81BE0C90]
SSDT            \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys  ZwOpenThread [0x81BE0D7E]
SSDT            \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys  ZwTerminateProcess [0x81BE0BF4]
SSDT            \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys  ZwTerminateThread [0x81BE0EC4]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                          trufos.sys
AttachedDevice  \Driver\tdx \Device\Tcp                                         bdftdif.sys
AttachedDevice  \Driver\tdx \Device\Udp                                         bdftdif.sys
AttachedDevice  \FileSystem\fastfat \Fat                                        fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                        trufos.sys

---- EOF - GMER 1.0.15 ----

[1972vet]

I found a suggestion given to someone else with the same redirect problem to remove a registry key identical to one in mine, so I removed it:

I'm not so sure that was a good idea. If you didn't download that software then HP probably bundled it with something. The browser address error redirector has it's useful purpose...even though some think it's debatable as to whether that's true or not...you can read more here on that. However, if you are no longer having the issue since you removed it, then I'd suggest leaving well enough alone.

Your Adobe Reader has been reported to have a vulnerability. Read Here for more info and update instructions.

Do you like that Microsoft Flight Simulator? Just curious. I had that installed some time ago but in spite of the HUGE hard drive, my system still would freeze up in a few minutes.

Now...about your logs. It does seem that there is a problem. Please download combofix from This Web page...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.  It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
  

When the tool is finished, it will produce a report for you.

Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[alan57]

Actually I never played flight simulator - it's my 14 yr old son's. He has his own PC but still insists on putting stuff on mine. Dad's is always better, for some reason. The only game I really got into was playing Space Empires online. I got so addicted to it that my wife was ready to leave. I decided I couldn't play it without playing to win and playing to win took toooo many hours so I had to treat it like any other addiction and remove it from my life altogether - in this case hit uninstall!

OK, here is the log. Thanks!!!

ComboFix 09-06-26.02 - Alan 06/27/2009  0:18.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2942.1425 [GMT -4:00]
Running from: c:\users\Alan\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\nY.exe
D:\Autorun.inf
D:\Desktop.ini

.
(((((((((((((((((((((((((   Files Created from 2009-05-27 to 2009-06-27  )))))))))))))))))))))))))))))))
.

2009-06-27 04:24 . 2009-06-27 04:24   --------   d-----w-   c:\users\Alan\AppData\Local\temp
2009-06-20 20:34 . 2009-06-20 20:34   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-06-19 15:07 . 2008-12-04 05:25   120832   ----a-w-   c:\users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\tcfu6bth.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-18 15:02 . 2008-01-30 20:36   90112   ----a-w-   c:\windows\unvise32.exe
2009-06-18 13:26 . 2009-06-18 13:26   --------   d-----w-   c:\program files\iPod
2009-06-18 13:26 . 2009-06-18 13:27   --------   d-----w-   c:\program files\iTunes
2009-06-18 13:25 . 2009-06-18 13:25   --------   d-----w-   c:\program files\QuickTime
2009-06-18 13:21 . 2009-06-18 13:21   75048   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-17 02:01 . 2009-06-17 02:01   --------   d-----w-   c:\users\Alan\AppData\Roaming\iPod Copy Expert
2009-06-17 02:01 . 2009-06-17 02:01   --------   d-----w-   c:\program files\iPod Copy Expert
2009-06-16 19:18 . 2009-06-16 19:18   --------   d-----w-   c:\program files\Trend Micro
2009-06-13 20:37 . 2009-04-30 12:37   293376   ----a-w-   c:\windows\system32\psisdecd.dll
2009-06-13 20:37 . 2009-04-30 12:37   428544   ----a-w-   c:\windows\system32\EncDec.dll
2009-06-09 01:05 . 2009-06-09 01:05   758088   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 03:53 . 2008-02-25 01:52   --------   d-----w-   c:\program files\Common Files\Adobe
2009-06-26 16:27 . 2008-02-17 20:58   --------   d-----w-   c:\users\Alan\AppData\Roaming\Spare Backup
2009-06-26 15:43 . 2007-11-18 01:12   --------   d-----w-   c:\program files\Gateway Games
2009-06-26 14:24 . 2007-11-18 01:12   --------   d-----w-   c:\programdata\WildTangent
2009-06-25 02:37 . 2008-02-17 21:32   81984   ----a-w-   c:\windows\system32\bdod.bin
2009-06-20 20:34 . 2007-11-18 01:07   --------   d-----w-   c:\program files\Java
2009-06-18 13:26 . 2008-04-26 19:08   --------   d-----w-   c:\program files\Common Files\Apple
2009-06-16 19:50 . 2007-11-18 01:07   --------   d-----w-   c:\program files\BigFix
2009-06-16 19:48 . 2007-11-18 00:53   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-06-14 07:09 . 2008-02-18 03:39   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-06-10 07:10 . 2007-11-18 01:01   --------   d-----w-   c:\program files\Microsoft Works
2009-06-10 07:08 . 2007-11-18 01:04   --------   d-----w-   c:\programdata\Microsoft Help
2009-05-26 10:45 . 2009-05-26 10:44   116841   ----a-w-   c:\windows\hpqins00.dat
2009-05-24 04:00 . 2009-01-20 23:21   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2009-05-24 03:59 . 2008-07-21 17:58   38208   ----a-w-   c:\users\Alan\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-20 12:43 . 2006-11-02 12:37   --------   d-----w-   c:\program files\Microsoft Games
2009-05-16 15:02 . 2009-05-16 15:02   416128   ----a-w-   c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-05-15 14:20 . 2007-11-18 01:06   --------   d-----w-   c:\program files\Google
2009-05-15 07:01 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2009-05-12 20:19 . 2009-05-12 20:19   --------   d-----w-   c:\program files\Saitek
2009-05-09 05:50 . 2009-06-09 20:00   915456   ----a-w-   c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-09 20:00   71680   ----a-w-   c:\windows\system32\iesetup.dll
2009-05-03 14:27 . 2009-05-03 14:27   652296   ----a-w-   c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-05-03 01:33 . 2008-02-17 20:57   104872   ----a-w-   c:\users\Alan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-02 17:42 . 2009-05-02 17:42   --------   d-----w-   c:\program files\Common Files\Microsoft Games
2009-04-30 02:41 . 2009-04-30 02:41   --------   d-----w-   c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 19:45 . 2009-02-27 22:24   815   ----a-w-   C:\rtsr_eml_sr.dat
2009-04-28 19:45 . 2009-02-27 22:24   141   ----a-w-   C:\dwl.dat
2009-04-28 19:45 . 2009-02-27 22:24   132   ----a-w-   C:\httpdwl.dat
2009-04-23 12:43 . 2009-06-09 20:00   784896   ----a-w-   c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-09 20:00   636928   ----a-w-   c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-09 20:00   2033152   ----a-w-   c:\windows\system32\win32k.sys
2009-04-13 04:58 . 2009-04-13 04:58   4667176   ----a-w-   c:\programdata\TaxCut\2008\Downloads\TaxCutPA.exe
2009-04-03 20:38 . 2009-04-03 20:37   29813256   ----a-w-   c:\programdata\TaxCut\2008\Update\US68017101cupd.exe
2009-03-05 22:08 . 2009-04-10 06:07   49664   ----a-w-   c:\program files\mozilla firefox\components\FFComm.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-18 1838592]
"Spare Backup"="c:\program files\Spare Backup\SpareBackup.exe" [2007-09-14 5252936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-06-16 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"Profiler"="c:\program files\Saitek\Software\ProfilerU.exe" [2006-08-09 184320]
"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2006-08-14 126976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-20 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1BCF0540-5DBB-4207-BD79-B91AE17F7764}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2347CD1A-B4A1-4172-993B-87B3234557A3}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C2996805-8CF9-4089-B46C-95FC71D0EE5B}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{7175E24F-EED1-4CCE-A91C-FB5CE1391A6C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{1F4CFADC-1182-4A33-9DDC-AF23844DB480}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{E13CE6DA-7CE2-4777-B9C0-C2418EF4EFC2}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{52FC2DB3-7584-42F4-8DE4-7F2DD8311813}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{DE8BFB1F-731B-4424-9F89-D874C0D79B18}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{E88F080E-3C3A-4A7F-A60B-34DD7A3DE6A8}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{979975F0-2020-4F32-8E46-833AE7CB59CB}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{47E6BFCE-1244-45DE-8961-C94318127FA0}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{8F734273-9ACA-403C-B99B-54972B16B5B9}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{91768011-E458-4545-AF2F-CD26BF8002EE}"= Disabled:UDP:c:\users\Alan\AppData\Local\Temp\7zSFE84.tmp\setup\HPZnui01.exe:hpznui01.exe
"{7D3996FA-7ED0-4A02-9EA6-90B9D18D6595}"= Disabled:TCP:c:\users\Alan\AppData\Local\Temp\7zSFE84.tmp\setup\HPZnui01.exe:hpznui01.exe
"{E67B947E-CCDC-49CD-9D02-F47AAEA29549}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{4148C371-D1C1-4872-B1A8-E9FA7E246D44}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{03472031-8696-4F1D-87E8-4C3E1EED0E88}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{01B50C92-0F51-4891-BC9E-9907CA65608B}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{CCB2301F-A24A-4DD5-A7F5-B56E57506F76}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{F8FAAAB2-03C4-4073-AB71-A1A629917057}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{34B8617D-B06A-4C0B-B664-51A09032BA7B}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{825D79FE-6931-4173-ACA3-F8EA33775761}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{063BDC1D-6321-40D8-BF38-966C05F54B26}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{536F0F56-396C-433F-BA8E-6BFFFFAF80AA}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{5022D31D-0A51-4EAE-86ED-0935F93A0845}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{37AA17F6-800D-4372-B3CB-DBE14ADE9551}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{C933475C-E639-4B40-9EBC-2A9F873A7F7C}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{525DA015-0CC4-45B9-BC0A-B6CFC09BAE27}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{CF9288FE-1C8C-499A-8C4B-6BDB19F976CB}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F6FA1D82-BD8C-4E8D-BD6B-495A83EF837B}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{84DC9834-A8BF-445D-89D0-22C010EAD105}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{45B99856-D801-4F6E-AFA9-296DFFD32A70}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{219C0073-90E0-4658-9554-CCD0632A9DE8}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{19813B27-548C-482D-BA0C-65F7748B9792}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A53D6E33-4D48-4BB2-99AF-0ADB66869DBD}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{74AA3727-BEE2-4882-A2C6-398FBC941A33}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BA1B761A-9E8C-4B31-A058-A05B4672495B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{73EE18C3-2B77-4CB2-AAEF-BD2FB03D0929}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{EF1B8132-5FD6-4723-8ECB-89D296F496EC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{21658052-D510-4CD8-983E-F2C89EDF4E8A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2/17/2008 11:39 PM 1153368]
R3 bdfm;BDFM;c:\windows\System32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\System32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 6:25 AM 2589184]
S3 SaiH0461;SaiH0461;c:\windows\System32\drivers\SaiH0461.sys [5/12/2009 4:16 PM 182528]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 3279B914
*NewlyCreated* - AUJASNKJ
*NewlyCreated* - DD0C6DBF
*Deregistered* - 3279b914
*Deregistered* - aujasnkj
*Deregistered* - dd0c6dbf

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
HPService   REG_MULTI_SZ      HPSLPSVC
bdx   REG_MULTI_SZ      scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://search.myheritage.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\tcfu6bth.default\
FF - prefs.js: browser.search.selectedEngine - MyHeritage Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 00:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\users\Alan\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-27  0:27
ComboFix-quarantined-files.txt  2009-06-27 04:27

Pre-Run: 274,484,936,704 bytes free
Post-Run: 274,407,309,312 bytes free

218   --- E O F ---   2009-06-25 16:54

[1972vet]

It's Looking better but the evidence from that log shows that you did have a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files. Backdoor Trojans are very dangerous. This type of malicious software uses advanced techniques to bypass security mechanisms in order to gain access to computer systems...in short, your computer now belongs to someone else. Remote attackers use Backdoor Trojans and Rootkits as part of an exploit to gain access to a computer and take control of it without your knowledge. With that in mind, I need to add my standard blurb for users that I find in your situation:

*********************************************

You are strongly advised to do the following immediately...(This comes a little late but should still be done:

• Disconnect the infected computer from the Internet and from any networked computers until we finish with the cleaning process.
  
• Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
  
• Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer (Remote access trojan). Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, take screenshots, log passwords, start and stop programs.
• Take any other steps YOU think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Rootkit or Backdoor Trojan, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows anew. While this type of malicious software can sometimes be removed successfully, I cannot guarantee that your system will be completely safe to use for future financial transactions or storage of sensitive data.

It is dangerous and incorrect to assume that because this type of malware can be removed, that the computer can be secured. In some instances an infection of this type may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
  
• "Help: I Got Hacked. Now What Do I Do?"
  
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, I will do my best to help clean the computer of any infections but cannot guarantee it to be trustworthy or that the removal will be successful.

*********************************************

...Now, all that aside, should you decide to continue with this cleanup effort, then please read on...

I should say, the program you have installed, "BigFix" is no longer supported. Software such as that can become a security issue when some youngster discovers an exploit...you should uninstall it.

Additionally, the registry key:
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
...is locked. I don't know with certainty why it is but it shouldn't be so we need to unlock it.

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please, either post back the new log that will be generated, or advise us of your intention to reformat and reinstall that operating system. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


KILLALL::


File::
C:\rtsr_eml_sr.dat
C:\dwl.dat
C:\httpdwl.dat


Folder::
c:\program files\BigFix


Reglock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

[alan57]

Thank you, This is very disturbing. First, let me rule out one thing - being computer illiterate and all. A tech (I think from Gateway, not sure) had me run a progam that gave them remote control to fix some issue when the PC was new - forget what it was. Is it possible that is what you are seeing?

If not, then I will have to wipe out my HD because I need a secure PC. What about the back-up data? The links say to back up your data but I imagine the virus would attach itself to any other media, so my back up drives should be wiped out too and CD-Rs I have are worthless (?). Should I use a service - like Carbonite? Perhaps back up my PC with them, then wipe it out and recover my data. I am guessing that they have protection in place to prevent the trojan from transferring to them. Perhaps it doesn't work this way, like I said I am PC illiterate. And now I temporarily have no credit card to start any service anyway.

I have my tax records on the HD - someone could have my SS #. I guess there is nothing I can do about that. Looks like no one used our CC - I cancelled them.

I have been having trouble with Bitdefender for a couple of months. It seems like every day the service stops responding and I have to reboot to start it again. Their customer service department is next to worthless. They got back to me after almost 2 weeks, had me reinstall the program, which I told them I had already tried, and now have not responded since. I am really pissed about that.
 

[1972vet]

A tech (I think from Gateway, not sure) had me run a progam that gave them remote control to fix some issue when the PC was new - forget what it was. Is it possible that is what you are seeing?

No, it's not anything like that. The file that raised the red flag was removed by combofix but as stated previously, there is no way to fully trust a system that has been compromised unless you basically start over from scratch...that is, changing all your passwords etc. If  you follow those instructions you should be fine. Once the hard drive has been reformatted the danger is gone.

[alan57]

I am reading what seems to be conflicts withing the various information given by the links you provided. One says to backup your data but the other one says that data backups might also be infected. I am going to reformat, but am not sure about what is safe regarding my backed up data. Can I safely save my data or use previous backups?