my ie search engines have been hijacked

download malewarebyte and do the full scan in your pc

Need more information... In what way they are hijacked? what happens? which websites are you redirected to?

sorry....but i forgot to mention that i did already try malewarebyte..and it showed no viruses.....

thanks....but that didn't help.....allan....

gets redirected to various other commercial sites.....so far no porn....although a few times avg said it was being sent to a "bad"  site and stopped it.....

thanks......

goto this registry path and check whether those commerical URL's are present

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl

if it is present then, delete the key values

itkamaraj:

could you please be more specific......not certain how you want me to proceed....how exactly do i go to that registry path?

thanks.....allan...

In your windows taskbar click START, then RUN and type "regedit" then press enter.

Navigate the registery like you would a file explorer.

codeQuantum:

thanks......did what you said.....and found it.....

did you say to just delete it?

is it very safe to do so?

are you certain this cures the wdmaud virus?

thanks again.....allan....

rpggamergirl:

i think you helped with this problem (and also helpe dme personally with computer problems before) but i think i came in in the middle of your fixing it......

could you help me out here?

thanks again......

allan.....

1) Download & Run CCleaner to wipe any related temp/junk files:
http://www.ccleaner.com/download

2) Download & run GMER (rootkit scanner) from (http://www2.gmer.net/gmer.zip)

Start GMER, select all options on the right side, after scanning is finished, click on save. Attach the log file here

3) What's the current AV installed?

4) Are your running IE7 or what?

Hi,
Thanks for the email.
wdmaud.sys was an old hijacker MalwareBytes and or Combofix should take care of it unless it's a new variant.
Please run these tools and show us the logs. You would need to rename the tools before saving to your desktop if they are blocked.
1.  MBAM:
http://www.malwarebytes.org/mbam.php 
 

2.  Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 

Here's some tips if programs are blocked..
https://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html 
There have been a few search hijackers that patched system files.... if MBAM or Combofix won't fix the problem then we need to run a diagnostic tool to check for patched files.

rpggamergirl:.....

here's the combofx log.....

thanks again.....

love and blessings.....allan....



ComboFix 09-12-09.04 - HP_Administrator 12/09/2009  15:01:29.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.1416 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator.ALLAN.001\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
(((((((((((((((((((((((((   Files Created from 2009-11-09 to 2009-12-09  )))))))))))))))))))))))))))))))
.

2009-12-09 17:51 . 2009-12-09 17:51      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Local Settings\Application Data\Apple
2009-12-06 22:18 . 2009-12-06 22:18      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Local Settings\Application Data\Threat Expert
2009-12-06 21:07 . 2009-12-06 21:07      --------      d-----w-      c:\program files\Trend Micro
2009-12-06 13:07 . 2009-12-06 13:07      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\Apple Computer
2009-12-06 13:07 . 2009-12-06 13:07      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Local Settings\Application Data\Apple Computer
2009-12-05 13:27 . 2009-12-09 16:35      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2009-12-05 13:27 . 2009-12-05 13:27      --------      d-----w-      c:\program files\DBXTriever
2009-12-04 18:40 . 2009-12-04 18:40      --------      d-----w-      c:\program files\CCleaner
2009-12-04 16:49 . 2009-12-04 16:49      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\Sonic
2009-12-04 16:48 . 2009-12-04 16:48      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\Leadertech
2009-12-04 02:21 . 2009-12-04 02:21      --------      d-----w-      c:\windows\WinSafe XP
2009-12-04 02:21 . 2009-12-04 02:25      --------      d-s---w-      c:\windows\WinSafe
2009-12-04 02:15 . 2009-12-04 02:15      --------      d-sh--w-      c:\documents and settings\HP_Administrator.ALLAN.000\PrivacIE
2009-12-04 02:15 . 2009-12-04 02:15      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.000\Application Data\StumbleUpon
2009-12-04 02:14 . 2009-12-04 02:14      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.000\Application Data\Yahoo!
2009-12-04 02:00 . 2009-12-04 02:00      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.000\Application Data\Ipswitch
2009-12-04 02:00 . 2009-12-04 02:00      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\Yahoo!
2009-12-04 01:52 . 2009-12-04 02:14      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.000\Application Data\EarthLink
2009-12-03 21:20 . 2009-12-09 17:06      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Local Settings\Application Data\Adobe
2009-12-03 20:58 . 2009-12-03 20:58      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\DivX
2009-12-03 20:57 . 2009-12-04 00:07      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\skypePM
2009-12-03 20:55 . 2009-12-04 01:56      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\Skype
2009-12-03 20:35 . 2009-12-03 20:35      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\Malwarebytes
2009-12-03 14:44 . 2009-12-03 14:44      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Local Settings\Application Data\Identities
2009-12-03 14:43 . 2009-12-03 14:43      --------      d-sh--w-      c:\documents and settings\HP_Administrator.ALLAN.001\PrivacIE
2009-12-03 14:43 . 2009-12-04 02:00      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\StumbleUpon
2009-12-03 14:42 . 2009-12-06 12:28      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\EarthLink
2009-12-03 14:14 . 2009-12-03 14:14      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN.001\Application Data\Ipswitch
2009-12-03 00:02 . 2009-12-03 00:02      --------      d-sh--w-      c:\documents and settings\HP_Administrator.ALLAN.000\IETldCache
2009-12-02 23:49 . 2009-12-02 23:49      --------      d-sh--w-      c:\documents and settings\HP_Administrator.ALLAN\IETldCache
2009-12-02 23:49 . 2009-12-04 01:59      --------      d-----w-      c:\documents and settings\HP_Administrator.ALLAN
2009-12-02 23:45 . 2009-12-02 23:45      --------      d-----w-      c:\windows\system32\wbem\Repository

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 17:51 . 2006-09-19 17:54      --------      d-----w-      c:\program files\Apple Software Update
2009-12-07 18:03 . 2006-08-24 20:12      --------      d-----w-      c:\program files\DYMO Label
2009-12-07 11:19 . 2005-06-17 13:33      874240      ----a-w-      c:\windows\system32\drivers\iaStor.sys
2009-12-06 14:12 . 2006-05-28 07:43      --------      d-----w-      c:\program files\Google
2009-12-04 18:59 . 2006-11-01 03:14      --------      d-----w-      c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-04 18:54 . 2006-08-24 21:40      --------      d-----w-      c:\program files\EarthLink TotalAccess
2009-12-04 02:02 . 2009-01-24 21:57      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-12-04 02:00 . 2007-12-22 15:06      --------      d-----w-      c:\program files\StumbleUpon
2009-12-04 00:14 . 2009-01-24 21:57      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2009-01-24 21:57      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-11-20 18:56 . 2009-06-05 15:27      --------      d-----w-      c:\program files\QuickTime
2009-11-20 18:56 . 2006-09-19 17:54      --------      d-----w-      c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-15 18:26 . 2006-05-28 06:52      --------      d-----w-      c:\program files\Java
2009-11-09 16:43 . 2008-05-30 20:31      360584      ----a-w-      c:\windows\system32\drivers\avgtdix.sys
2009-11-05 22:30 . 2008-05-30 20:31      333192      ----a-w-      c:\windows\system32\drivers\avgldx86.sys
2009-11-05 22:30 . 2008-05-30 20:31      28424      ----a-w-      c:\windows\system32\drivers\avgmfx86.sys
2009-11-05 22:30 . 2008-05-30 20:31      12464      ----a-w-      c:\windows\system32\avgrsstx.dll
2009-11-05 22:30 . 2009-11-05 22:30      --------      d-----w-      c:\documents and settings\All Users\Application Data\avg9
2009-11-05 22:30 . 2008-05-30 20:31      --------      d-----w-      c:\program files\AVG
2009-11-01 03:13 . 2006-05-28 07:23      --------      d-----w-      c:\program files\HP Games
2009-11-01 03:12 . 2006-05-28 07:32      --------      d-----w-      c:\program files\muvee Technologies
2009-11-01 03:12 . 2006-05-28 07:05      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-11-01 03:07 . 2006-05-28 06:47      --------      d-----w-      c:\program files\GemMaster
2009-11-01 03:03 . 2006-05-28 07:33      --------      d-----w-      c:\program files\Quicken
2009-10-29 07:45 . 2004-08-10 04:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2009-10-29 00:28 . 2006-10-14 17:00      --------      d-----w-      c:\program files\Mozy
2009-10-27 20:46 . 2009-10-27 20:46      93360      ----a-w-      c:\windows\system32\drivers\SBREDrv.sys
2009-10-27 20:46 . 2009-04-24 20:43      15880      ----a-w-      c:\windows\system32\lsdelete.exe
2009-10-21 05:38 . 2004-08-10 04:00      75776      ----a-w-      c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 04:00      25088      ----a-w-      c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 04:00      265728      ------w-      c:\windows\system32\drivers\http.sys
2009-10-14 21:05 . 2009-10-14 21:05      --------      dc-h--w-      c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-13 10:30 . 2004-08-10 04:00      270336      ----a-w-      c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 04:00      149504      ----a-w-      c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 04:00      79872      ----a-w-      c:\windows\system32\raschap.dll
2009-10-11 12:17 . 2008-12-01 17:21      411368      ----a-w-      c:\windows\system32\deploytk.dll
2009-10-01 17:11 . 2006-05-28 07:20      154512      -c--a-w-      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 12:55 . 2009-04-24 16:09      64288      ----a-w-      c:\windows\system32\drivers\Lbd.sys
2009-09-14 20:04 . 2006-10-14 17:00      54776      ----a-w-      c:\windows\system32\drivers\mozy.sys
2009-09-11 14:18 . 2004-08-10 04:00      136192      ----a-w-      c:\windows\system32\msv1_0.dll
2006-09-13 19:47 . 2006-09-13 19:47      55827      -c--a-w-      c:\program files\MS Pilgrim Terrace.pdf
2006-09-13 19:47 . 2006-09-13 19:47      72152      -c--a-w-      c:\program files\MS Bridging Office.pdf
2006-09-13 19:47 . 2006-09-13 19:47      67731      -c--a-w-      c:\program files\M  Home Plus & Lot v.1.pdf
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-10-20 19:51      2846008      ----a-w-      c:\program files\Mozy\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-10-20 19:51      2846008      ----a-w-      c:\program files\Mozy\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe -winstart" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-06 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" [X]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe -start" [X]
"DISCover"="c:\program files\DISC\DISCover.exe nogui" [X]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe  -osboot" [X]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-13 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-19 788880]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-02-15 507904]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-06 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\Mozy\mozystat.exe [2009-10-20 2890552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-05 22:30      12464      ----a-w-      c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-10-30 16:15      30192      ----a-w-      c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24      54840      ----a-w-      c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-16 05:34      249856      ----a-w-      c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-02 06:35      49152      ----a-w-      c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 21:52      36864      ----a-w-      c:\program files\HP\HP UT\bin\hppusg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2007-05-17 21:45      279912      ----a-w-      c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12      1695232      ----a-w-      c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2006-02-15 01:32      507904      ----a-w-      c:\windows\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17      149280      ----a-w-      c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-12-06 14:12      39408      ----a-w-      c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\WINDOWS\\system32\\zhhp1600.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP 12\\wsftpgui.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/24/2009 8:09 AM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/30/2008 12:31 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/30/2008 12:31 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/5/2009 2:30 PM 285392]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 10:47 AM 65604]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912]
R2 MMIndexer;Media Manager Indexer;c:\program files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE [7/14/1997 11:00 PM 136704]
S2 gupdate1c9974bcdc9a83a;Google Update Service (gupdate1c9974bcdc9a83a);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2009 5:20 AM 133104]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 1:16 PM 17536]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/1/2009 7:51 AM 30192]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [9/28/2009 1:43 PM 120232]
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
Trusted Zone: trymedia.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} - hxxp://download.tenebril.com/pub/bin/scanner2008/TenebrilSpywareScanner.ocx
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 15:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{399560AD-16A1-1C42-B8ABCDA82BB95BD1}\{612A140D-0F00-4178-3873E27B58551793}\{AE627BFA-B567-4F9A-57DD34442A0D5150}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
   9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{58108EA6-F0F8-838F-6C2A403DB017DCAF}\{7C3918A7-E77A-99CB-B21F6D376FB586C0}\{5E9787CE-D944-C377-C12E117E9C86E636}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
   9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8472BA1A-B0FA-88F3-90386E614F860D47}\{66D81DF1-2E53-4A0F-1B744E2CE8CEDA56}\{65C0E586-2284-7A2C-F227063A6BD7FEE6}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
   9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EEC79885-4786-49D7-ED36B6E7637E50FF}\{25B171C9-78C7-18E7-FBBA7E6592C7CB70}\{6B8ADD0A-85A7-C5B5-191A2895BD30C6E1}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
   9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(740)
c:\windows\system32\WININET.dll
c:\program files\Mozy\mozyshell.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.162\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\UnToAnsi.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\common files\installshield\updateservice\issch.exe
c:\program files\DISC\DISCover.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\EarthLink TotalAccess\TaskPanl.exe
c:\program files\Mozy\mozybackup.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\DISC\DiscStreamHub.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-12-09  15:56:59 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-09 23:56

Pre-Run: 121,089,437,696 bytes free
Post-Run: 121,168,146,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - BECA71B0481DA54824BCAFC5668C24DA

The patched atapi.sys and iastor.sys would've been the ones causing the hijacks.. and now that they have been replaced has the search hijacks stopped?

Combofix did not detect the presence of wdmaud.sys... also it wasn't among the newly created files unless wdmaud.sys got in the system over 3 months ago.

rpggamergirl:

not sure what fixed it......but somehow seems to be working properly now....i'm just thankful something.....you....combofix or something.....seems to have corrected/deleted the problem......

let's give it a few das and see if everything holds perfectly.....

thanks again.....for everything.....

love and blessings.....allan....

rpggamergirl:

yes.... i think you're right.....let's give it a few days to see if everything holds before we close the question.....

thanks again....

love and blessings....allan....

rpggamergirl  really knows her stuff.......and readily makes it available in a beautiful way.....so thanks to her and experts-exchange for their wonderful help and support.....love and blessings.....allan

Hi allan,

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall


Thanks for using Experts-Exchange!

rpggamergirl:   thanks again,,,,of course.....love and blessings....allan....