[Res]Browser Redirect

[MEHammer]

I have the same issues as many other posts I've seen in this forum.
We have been working on this on and off for the past month.  It started as the fake Antivirus messages.
I cleaned up that, but the browser redirect continued and the fake Antivirus / fake Antimalware came back.
I have run Malware Bytes Anti-Malware and Spybot S&D.
Malwarebytes found several items and cleaned them.
I have had AVG8 running.  It has found/blocked some Generic17.SC ?, Exploit Neosploit Toolkit (type 779) and Exploit Rogue scanner (type 959=8) in the redirected browser pages.
I recently ran ccleaner.
Recent MalwareBytes runs have been clean, but the browser (both IE and Firefox) redirect continues (especially from Google search results).

Here's my HijackThis log:

------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:42 PM, on 4/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\MySoftware\intercom.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Owner\My Documents\AntiMalware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\intercom.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--
End of file - 6474 bytes

[Rorschach112]

Download GMER Rootkit Scanner from  here or  here.

• Extract the contents of the zipped file to your desktop
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
• In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All <--don't miss this one
• Then click the Scan button & wait for it to finish
• Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives.

Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.

[MEHammer]

Thanks for your help --

I tried the gmer scanner several times as directed and it always stops after about 20 seconds
when it gets to Sections: C:\WINDOWS\system32\drivers\disk.sys
Then if I try to do anything, the system locks up (cursor won't move, ^Alt-Del does nothing, etc), and I have to hold the power switch to shut down.

So I unchecked the Sections checkbox and ran it.  Here's the results:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 22:42:05
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kweyrpoc.sys


---- System - GMER 1.0.15 ----

INT 0x06        \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems)  ECA4316D
INT 0x0E        \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems)  ECA42FC2

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                         avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                        avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                        avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                      avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                         fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device           -> \Driver\atapi \Device\Harddisk0\DR0                                                                          832FDA9A
---- Processes - GMER 1.0.15 ----

Library         C:\PROGRA~1\WIFD1F~1\MpShHook.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1144]                             0x5F800000                                                               

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\system32\drivers\atapi.sys                                                                            suspicious modification

---- EOF - GMER 1.0.15 ----

[Rorschach112]

can you try gmer again, but uncheck everything BUT Sections

[MEHammer]

After re-starting the system (because it was hung) I reran gmer and unchecked everything except Sections.  It started checking files and within about 5 sec it stopped at the same place:
Sections: C:\WINDOWS\system32\drivers\disk.sys

Gmer is not responding to Stop. System is hung - doesn't respond to ^Alt-Del, mouse still moves.

[Rorschach112]

ok do this

Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

[MEHammer]

ComboFix 10-04-15.05 - Owner 04/17/2010  10:51:08.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.238 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00000898.
c:\recycler\NPROTECT\00000944.
c:\recycler\NPROTECT\00000961.
c:\recycler\NPROTECT\00000963.
c:\recycler\NPROTECT\00000978.
c:\recycler\NPROTECT\00023208.
c:\recycler\NPROTECT\00023209.
c:\recycler\NPROTECT\00023210.
c:\recycler\NPROTECT\00023214.
c:\recycler\NPROTECT\00023215.
c:\recycler\NPROTECT\00023216.
c:\recycler\NPROTECT\00023229.
c:\recycler\NPROTECT\00023230.
c:\recycler\NPROTECT\00023231.
c:\recycler\S-1-5-21-1409082233-2111687655-1801674531-1003
c:\windows\system\oeminfo.ini
c:\windows\system32\reboot.txt

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
(((((((((((((((((((((((((   Files Created from 2010-03-17 to 2010-04-17  )))))))))))))))))))))))))))))))
.

2010-04-16 23:43 . 2010-04-16 23:43   --------   d-----w-   c:\documents and settings\Owner\log
2010-04-16 23:43 . 2010-04-16 23:43   161296   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-04-16 02:16 . 2010-04-16 02:16   --------   d-----w-   c:\program files\CCleaner
2010-04-13 04:01 . 2010-04-13 04:03   --------   d-----w-   C:\tempfix
2010-04-12 10:29 . 2009-10-23 15:28   3558912   ------w-   c:\windows\system32\dllcache\moviemk.exe
2010-04-11 21:16 . 2010-04-12 02:10   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\avG
2010-04-11 20:55 . 2001-08-17 19:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2010-04-11 20:55 . 2001-08-17 19:48   12160   ----a-w-   c:\windows\system32\dllcache\mouhid.sys
2010-04-11 20:54 . 2008-04-13 18:45   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2010-04-11 20:54 . 2008-04-13 18:45   10368   ----a-w-   c:\windows\system32\dllcache\hidusb.sys
2010-03-19 23:33 . 2010-03-19 23:33   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-19 23:33 . 2010-03-30 06:46   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 23:33 . 2010-04-16 03:25   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-19 23:33 . 2010-03-30 06:45   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-19 23:33 . 2010-03-19 23:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 23:14 . 2010-03-19 23:14   --------   d-----w-   c:\documents and settings\Owner\Application Data\AVG8
2010-03-19 23:07 . 2010-03-19 23:07   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-03-19 21:56 . 2010-04-12 10:26   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-03-19 21:56 . 2010-04-12 10:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 04:33 . 2001-08-17 20:51   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-04-12 10:07 . 1999-06-02 04:49   --------   d-----w-   c:\program files\WildTangent
2010-03-19 23:34 . 2010-03-19 23:34   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-26 05:43 . 2005-10-21 18:51   667136   ----a-w-   c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-04 07:56   81920   ------w-   c:\windows\system32\ieencode.dll
2005-03-23 21:55 . 2005-03-23 21:55   798244   ----a-w-   c:\program files\Metricconvertsetup.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3tray2.exe" [2001-10-04 69632]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-14 45056]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-27 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
MySoftware InterCom.lnk - c:\program files\Common Files\MySoftware\intercom.exe [2002-5-9 238080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 15:01   11952   ----a-w-   c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=c:\windows\pss\hp center.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\drivers\avgldx86.sys [6/10/2009 9:16 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\drivers\avgtdix.sys [6/10/2009 9:16 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/10/2009 9:15 PM 297752]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 11:02 AM 1213728]
.
Contents of the 'Scheduled Tasks' folder

2002-05-09 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-05-03 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://srch-us4.hpwis.com/
mStart Page = hxxp://us4.hpwis.com/
mSearch Bar = hxxp://srch-us4.hpwis.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ejrfszz1.default\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
AddRemove-Works2002Setup - c:\program files\Microsoft Works and Money 2002\Setup\Launcher.exe \hp\tmp\src\



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 11:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1676)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-17  11:11:32 - machine was rebooted
ComboFix-quarantined-files.txt  2010-04-17 17:11

Pre-Run: 18,370,555,904 bytes free
Post-Run: 18,490,056,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

- - End Of File - - 1D8FCD1F76745172D626D263011DFA75

[Rorschach112]

any redirects ?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




Run an online virus scan called Kaspersky from HERE.

1. At the main page. Press on "

Accept". After reading the contents.
2. At the next window Select  Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.

Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.[/list]

[MEHammer]

> any redirects ?

I have been afraid to try it.  I didn't want to get re-infected and undo all the fixing so far.
Is that paranoid or prudent?

Here's the MalwareBytes log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4002

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/17/2010 4:12:50 PM
mbam-log-2010-04-17 (16-12-50).txt

Scan type: Quick scan
Objects scanned: 111581
Time elapsed: 13 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------------------------------------------------
Here's the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Saturday, April 17, 2010
 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Saturday, April 17, 2010 20:30:30
 Records in database: 3949147
--------------------------------------------------------------------------------

Scan settings:
   scan using the following database: extended
   Scan archives: yes
   Scan e-mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\

Scan statistics:
   Objects scanned: 61808
   Threats found: 5
   Infected objects found: 6
   Suspicious objects found: 1
   Scan duration: 04:44:03


File name / Threat / Threats count
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx   Infected: Trojan-Spy.HTML.Bayfraud.kl   1
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx   Suspicious: Trojan-Spy.HTML.Fraud.gen   1
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx   Infected: Email-Worm.Win32.Warezov.ev   3
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\drivers\atapi.sys.vir   Infected: Rootkit.Win32.Tdss.ai   1
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP4\A0003154.exe   Infected: Packed.Win32.Katusha.j   1

Selected area has been scanned.

[MEHammer]

And - I tried the browsers - No Redirects!   
Thanks!!
 
What remaining cleanup should I do?

[Rorschach112]

Your logs are clean


Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix for you automatically.

• Download OTC by OldTimer and save it to your desktop.
  
• Double click icon to start the program.
  If you are using Vista, please right-click and choose run as administrator
  
• Then Click the big button.
  
• You will get a prompt saying "Being Cleanup Process". Please select Yes.
  
• Restart your computer when prompted.

Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :

http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.[/list]

• Make Internet Explorer more secure
  
  • Click Start > Run
    
  • Type Inetcpl.cpl & click OK
    
  • Click on the Security tab
    
  • Click Reset all zones to default level
    
  • Make sure the Internet Zone is selected & Click Custom level
    
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
    

Thank you for your patience, and performing all of the procedures requested.

[MEHammer]

Thanks so much for your help!  You provide a valuable service!

I will also do the suggestions on the SpywareHammer General suggestions page, including updating my browser from IE6 to IE7 and using Firefox for most web browsing.

Thanks again.