Solved Google Redirect

[Resolved] Google Redirect

Hello all,

I feel completely defeated. I haven't had a virus or serious spyware infection in a long time, and I just can't seem to get rid of this one. It wouldn't let me download combofix. I got a friend to email it to me, but I see from another post on this site I should have renamed it. Malwarebytes was corrupted. I run Avast, spybot S&D, Adaware, trendmicro online - they all find nothing.

Here is my Hijack This log. Any help is greatly appreciated:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:35 AM, on 4/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Visagesoft\eXPert PDF\vspdfprsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\ATTToolbar\FDServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\Visagesoft\eXPert PDF\vspdfprsrv.exe --background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IHateThisKey] "C:\Program Files\ByteGems.com\I Hate This Key\IHateThisKey.exe "
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.805.16405 (GoogleDesktopManager-051608-133132) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 7409 bytes

 

I think I have mine resolved. I took the hard drive out and hooked it up to a secure PC as a slave drive (I know it's not the best solution, but I had recently imaged it for my son and it had very little data on it, so if I infected that box I could reimage without losing anything). Malwarebytes found the following 2 viruses, some of you guys look like you had the same deal as I did: daonol and killav. It got rid of those, I installed it back into my main PC, and was able to run combofix. Nothing was detected. I'm still running some more programs to ensure it's gone, but so far so good. I have regained the ability to use the cmd line and regedit, and I get no more redirects of google. Also Firefox hasn't crashed since the cleaning. I'll post the combo log just in case someone wants to look to point something out, I'm not very good at reading these. Good luck to all.

 

ComboFix 09-04-01.01 - Michael 2009-04-07 23:47:31.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3007.2707 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\zip32.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2009-04-06 22:56 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-04-05 22:10 . 2009-04-07 23:52 <DIR> d-------- c:\program files\Autorun Eater
2009-04-04 23:09 . 2009-04-04 23:09 <DIR> d-------- c:\program files\Trojan Remover
2009-04-04 23:09 . 2009-04-04 23:09 <DIR> d-------- c:\documents and settings\Michael\Application Data\Simply Super Software
2009-04-04 23:09 . 2009-04-04 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-04 23:09 . 2009-04-04 23:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-04-04 23:09 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-04-04 23:09 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-04-04 23:09 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-04-04 23:09 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-04-04 23:09 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-04-02 19:51 . 2009-04-02 19:51 <DIR> d-------- c:\windows\system32\scripting
2009-04-02 19:51 . 2009-04-02 19:51 <DIR> d-------- c:\windows\system32\en
2009-04-02 19:51 . 2009-04-03 18:24 <DIR> d-------- c:\windows\system32\bits
2009-04-02 19:51 . 2009-04-02 19:51 <DIR> d-------- c:\windows\l2schemas
2009-04-02 19:49 . 2007-08-10 21:46 33,656 --a------ c:\windows\system32\sprecovr.exe
2009-04-02 18:35 . 2009-04-02 18:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-04-02 18:35 . 2009-04-02 18:35 <DIR> d-------- c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com
2009-04-02 18:35 . 2009-04-02 18:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-02 18:09 . 2009-04-02 18:09 <DIR> d-------- c:\documents and settings\Administrator
2009-04-02 17:33 . 2009-04-02 17:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-04-02 17:33 . 2009-04-02 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-02 01:30 . 2009-04-02 01:30 <DIR> d-------- c:\documents and settings\Michael\DoctorWeb
2009-04-01 23:53 . 2009-04-02 07:39 <DIR> d-------- c:\documents and settings\Michael\.housecall6.6
2009-04-01 23:03 . 2009-04-01 23:03 <DIR> d-------- c:\program files\Trend Micro
2009-03-31 22:35 . 2009-03-31 22:35 <DIR> d-------- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-03-31 22:35 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 22:35 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-31 22:34 . 2009-03-31 22:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 22:34 . 2009-03-31 22:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-26 00:00 . 2009-03-26 00:00 <DIR> d-------- c:\program files\Bonjour
2009-03-24 21:43 . 2009-03-24 21:45 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-15 16:10 . 2009-03-15 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\eXPert PDF 4
2009-03-13 23:07 . 2009-03-13 23:07 <DIR> d-------- c:\documents and settings\Michael\Application Data\eXPert PDF Editor
2009-03-13 23:03 . 2009-03-13 23:03 <DIR> d-------- c:\windows\My Documents
2009-03-13 23:03 . 2009-03-13 23:03 <DIR> d-------- c:\program files\Visagesoft
2009-03-13 23:03 . 2009-03-13 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\eXPert PDF Jobs
2009-03-13 23:03 . 2009-03-13 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\eXPert PDF
2009-03-13 23:03 . 2005-06-02 12:40 14,336 --a------ c:\windows\system32\vsmon1.dll
2009-03-12 23:59 . 2009-03-12 23:59 <DIR> d-------- c:\program files\FileZilla FTP Client
2009-03-12 23:59 . 2009-03-13 00:05 <DIR> d-------- c:\documents and settings\Michael\Application Data\FileZilla
2009-03-09 22:55 . 2009-03-09 22:55 <DIR> d-------- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 04:52 --------- d-----w c:\program files\Steam
2009-04-05 04:00 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-03 23:42 96,256 ----a-w c:\windows\system32\drivers\sptd4077.sys
2009-04-02 23:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-02 12:39 --------- d-----w c:\documents and settings\All Users\Application Data\ATTToolbar
2009-04-02 04:56 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2009-03-26 05:00 --------- d-----w c:\program files\Common Files\Adobe
2009-03-09 23:36 --------- d-----w c:\program files\PeerGuardian2
2009-03-09 23:36 --------- d-----w c:\documents and settings\Michael\Application Data\uTorrent
2009-03-06 06:23 --------- d-----w c:\documents and settings\Michael\Application Data\Move Networks
2009-02-26 07:08 --------- d-----w c:\documents and settings\Michael\Application Data\Free Audio Editor
2009-02-19 03:37 138,784 -c--a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-19 03:28 22,328 -c--a-w c:\documents and settings\Michael\Application Data\PnkBstrK.sys
2009-02-19 03:28 --------- d-----w c:\documents and settings\All Users\Application Data\id Software
2009-02-16 06:46 --------- d-----w c:\program files\TVersity Codec Pack
2009-02-16 06:46 --------- d-----w c:\program files\ffdshow
2009-02-16 06:44 --------- d-----w c:\program files\TVersity
2009-02-08 06:19 --------- d-----w c:\documents and settings\Michael\Application Data\Azureus
2007-11-17 04:21 94,080 -c--a-w c:\documents and settings\Michael\Application Data\ezplay.sys
2007-11-17 04:21 87,608 -c--a-w c:\documents and settings\Michael\Application Data\ezpinst.exe
2007-07-13 03:32 106 -c--a-w c:\program files\piconfig.lx
2006-12-27 04:34 47,360 -c--a-w c:\documents and settings\Michael\Application Data\pcouffin.sys
2007-01-23 20:07 1,847,296 -c--a-w c:\program files\mozilla firefox\plugins\Seadragon.dll
2008-06-01 05:31 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam "= "c:\program files\steam\steam.exe" [2009-01-08 1410296]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Autorun Eater "= "c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"CTHelper "= "CTHELPER.EXE" [2004-03-19 c:\windows\system32\CTHELPER.EXE]
"nwiz "= "nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 01000000
"NoSMMyDocs "= 01000000
"NoSMMyPictures "= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= i420vfw.dll
"VIDC.VP40 "= vp4vfw.dll
"vidc.X264 "= x264vfw.dll
"VIDC.MSUD "= msulvc05.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=" "
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Documents and Settings\\Michael\\My Documents\\utorrent.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"c:\\Program Files\\Peer Impact\\peerimpact.exe "=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe "=
"c:\\Program Files\\Azureus\\Azureus.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\mIRC\\mirc.exe "=
"c:\\Program Files\\Steam\\steam.exe "=
"c:\\Program Files\\Steam\\SteamApps\\cooleyo\\team fortress 2\\hl2.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe "=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe "=
"c:\\Program Files\\screen-scraper basic edition\\jre\\bin\\java.exe "=
"c:\\Program Files\\screen-scraper basic edition\\screen-scraper.exe "=
"c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe "=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe "=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe "=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe "=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe "=
"%windir%\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3074:TCP "= 3074:TCP:GearsofWar
"26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56147:TCP "= 56147:TCPandoRest Listening Port

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 PStrip;PSTRIP;c:\windows\system32\drivers\PStrip.sys [2004-11-09 21968]
R3 dsnpfd;DeskSoft Service;c:\windows\system32\drivers\dsnpfd.sys [2007-10-21 16896]
S3 GoogleDesktopManager-051608-133132;Google Desktop Manager 5.7.805.16405;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-06-01 29744]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4B.tmp --> c:\windows\system32\4B.tmp [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRunCD.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-583907252-839522115-1003.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 21:48]

2009-03-18 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-06-01 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-Comrade - (no file)


.
------- Supplementary Scan -------
.
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\hu99675r.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\hu99675r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppsynth.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\windows\system32\Photosynth\nppsynth.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 23:52:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath "= "\??\c:\windows\system32\4B.tmp "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-583907252-839522115-1003\Software\SecuROM\License information*]
"datasecu "=hex:76,90,10,69,7d,99,56,06,e4,80,f7,a5,c3,f6,b9,50,f8,8d,81,1b,e9,
1b,20,f1,ec,cb,e8,14,43,c1,89,34,0d,de,98,0a,2d,6c,b4,52,d7,20,15,47,69,3f,\
"rkeysecu "=hex:2c,73,a8,9a,05,2d,e9,c8,e6,8e,01,19,6e,c6,29,6a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Autorun Eater\billy.exe
.
**************************************************************************
.
Completion time: 2009-04-07 23:57:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-08 04:57:06

Pre-Run: 47,688,556,544 bytes free
Post-Run: 47,618,686,976 bytes free

232 --- E O F --- 2009-04-03 23:48:45

 

Hi and welcome

Sorry for the delay but the help forums are over loaded with people asking for help.

I've looked over your logs and it appears you did rather a good job working on the infection.

Let's see about checking for remnants.


Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.




NEXT**
Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

Thanks for the response Juliet! No worries on the delay, I can see how busy everything is. I'm really glad you posted, because it's not clean yet. I've regained control of cmd and regedit, but the google redirects have recurred.

I'm currently going through all the steps you previously posted. Thanks again!

Edit to add: The Kaspersky scan has already found 2 items (not sure what yet) but it is only 15% through the scan. I will post the results and the HJT log tomorrow. Thanks again for your help.

Edit again: Wow, it's been running for 7 hours and it is not done. I don't have time to check, but I think the virus that was removed may have infected the pagefile.sys. I wonder if that is slowing down the box. I do not notice a slowdown when I execute other programs, just surprised this is still going. Will post when I get home from work

 

Don't be alarmed if Kaspersky finds anything, we typically expect it to.

Scan times depend on how full the drive is, but I would think 7 hours is a bit much.

Post the Kaspersky log when you can.

Also....do this and post the log it creates.



Please download RegQuery by Noviciate to your desktop

[*]Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


[*]Double click RegQuery.exe to run the program

[*]Paste the text you have copied using CRTL and V, into the textbox

[*]Click the Query button

[*]A Notepad file will open. Please paste the contents in your next reply

[*]You may now close the RegQuery program


In your next reply post:
Kaspersky log
RegQuery log

 

OK here is the KScan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, April 9, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, April 09, 2009 06:40:55
Records in database: 2025736
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 142870
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 11:35:37


File name / Threat name / Threats count
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\keyfinder.exe.bac_a03272 Infected: not-a-virusSWTool.Win32.RAS.g 1
C:\Documents and Settings\Michael\.housecall6.6\Quarantine\keyfinder.exe.bac_a03272 Infected: not-a-virusSWTool.Win32.RAS.a 1
C:\Documents and Settings\Michael\My Documents\mirc63.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1

The selected area was scanned.

 

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:24 PM, on 4/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4285 bytes

 

Reg Query Log

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"VIDC.I420 "= "i420vfw.dll "
"vidc.iv31 "= "ir32_32.dll "
"vidc.iv32 "= "ir32_32.dll "
"vidc.iv41 "= "ir41_32.ax "
"VIDC.IYUV "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVU9 "= "tsbyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"MSVideo8 "= "VfWWDM32.dll "
"msacm.lhacm "= "lhacm.acm "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"VIDC.WMV3 "= "wmv9vcm.dll "
"VIDC.VP40 "= "vp4vfw.dll "
"msacm.voxacm160 "= "vct3216.acm "
"MSVideo "= "vfwwdm32.dll "
"wave1 "= "wdmaud.drv "
"midi1 "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"aux "= "wdmaud.drv "
"vidc.VP70 "= "vp7vfw.dll "
"vidc.X264 "= "x264vfw.dll "
"VIDC.FPS1 "= "frapsvid.dll "
"vidc.VP60 "= "vp6vfw.dll "
"vidc.VP61 "= "vp6vfw.dll "
"vidc.VP62 "= "vp6vfw.dll "
"VIDC.DRAW "= "DVIDEO.DLL "
"wave2 "= "wdmaud.drv "
"midi2 "= "wdmaud.drv "
"mixer2 "= "wdmaud.drv "
"aux1 "= "wdmaud.drv "
"wave3 "= "wdmaud.drv "
"midi3 "= "wdmaud.drv "
"mixer3 "= "wdmaud.drv "
"aux2 "= "wdmaud.drv "
"VIDC.MSUD "= "msulvc05.dll "
"wave4 "= "wdmaud.drv "
"midi4 "= "wdmaud.drv "
"mixer4 "= "wdmaud.drv "
"aux3 "= "wdmaud.drv "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "
"VIDC.FFDS "= "ff_vfw.dll "
"aux4 "= "C:\\WINDOWS\\system32\\..\\ikpnk.ark "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

 

Thanks again Juliet!

 

C:\Documents and Settings\Michael\.housecall6.6\Quarantine<--delete the contents inside this folder

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1
Don't worry about mIRC unless you didn't install it.


NEXT**
Open HijackThis. Click on Open the Misc Tools Section.

* On the screen, click on "Delete a file on reboot... ".
* Copy/paste the following path into the dialog box that popped up, and click 'Open':
C:\WINDOWS\ikpnk.ark

* HJT will ask you if you want to reboot, now. Click "NO ".



Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the text in blue below into it(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux "=-

Save this as delete.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on delete.reg and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards

Now reboot the machine <--Important




Post back and let me know how the computer is now.

 

I'm glad I don't own a gun, because I may have shot myself. Shortly after I posted, the power blinked at my house. I booted the computer back up, and it wouldn't load. Had to shut it off, then on again, then off and on again one more time. It took forever for Windows to come back up. Machine is crawling.

I'm back to square one with no ability to use cmd or regedit again. I'm about to do the things you just posted, but I see the big warning about not rebooting. I hadn't started any of that process, but I'm fearful the power blink may have just messed me up. Will report back in a few.

 

As feared, I can't execute the last step (delete.reg) due to losing the regedit command. I'm not doing anything until I hear from you, hopefully no more power blinks.

 

As another aside, AVG8.5 will not automatically update the virus definition. I can go in and manually update, but it won't auto connect.

 

See if this will work

Open taskmanager
At the top click on File, then New Task(RUN) type in regedit.exe

If it opens create the regfix I create in my previous post and see if it can run that way?

 

Doesn't work.

 

Crudzola!


Combofix is my first tool of choice here, but got my doubts.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.





If it wont run
Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



In your next reply post:
Malwarebytes' Anti-Malware log
New HJT log

 

Also, sorry I have to mention this but,

It's late here and I have to sign off for the night.

I'll have to catch up in the morning.

 

No go on combofix because it runs in a command prompt box. Running malware bytes with a fresh install, malware didn't work for what I had last time. I have my doubts this time as well because the launch malwarebytes box was checked, and it came up with a box saying malwarebytes was already running.

If this doesn't work, I may hook it back up to my son's computer as a slave drive and try to get us back where we were a short while ago.

ETA: It didn't find anything.

 

No worries, I really appreciate your help. I think I am going to pop it in my son's computer and try to clean it as a slave drive again. I'll let you know the results.