Solved Google Redirect

[Resolved] Google Redirect

I am having a problem where Google redirects my searches once I click on the icon. I see other people have had similar problems. I have run a virus scan with Symantic, and a spy ware scan with Spy Sweeper but the problem is continuing. I have posted the DDS.txt file and the Attach.txt file.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Chris at 17:59:12.59 on Mon 04/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.110 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.daemonsearch.com/intl/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe "
uRun: [Aim6]
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRunOnce: [Ad-Aware] c:\program files\lavasoft\ad-aware\\Ad-Aware.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe "
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe "
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe "
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe "
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe "
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe "
mRun: [SpySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {6250C8B9-5F08-4208-AE9C-B6456B61A058} = 216.254.95.2,216.231.41.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\yicwkuee.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/|foxnews.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-13 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-13 29808]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-13 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-13 1180976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090413.003\naveng.sys [2009-4-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090413.003\navex15.sys [2009-4-13 876144]
S3 chckr2xx;Checker 200 Series Driver;c:\windows\system32\drivers\chckr2xx.sys [2008-10-21 15744]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

=============== Created Last 30 ================

2009-04-13 17:37 <DIR> --d----- c:\program files\Trend Micro
2009-04-13 16:34 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-13 16:28 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-13 16:27 <DIR> --d----- c:\program files\Lavasoft
2009-04-13 15:27 775,168 a------- c:\windows\isRS-000.tmp
2009-04-13 15:27 <DIR> --d----- c:\program files\MSSOAP
2009-04-13 15:25 1,553,784 a------- c:\windows\WRSetup.dll
2009-04-13 15:25 <DIR> --d----- c:\docume~1\chris\applic~1\Webroot
2009-04-13 15:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-04-13 15:25 <DIR> --d----- c:\program files\Webroot
2009-04-09 19:26 <DIR> --d----- c:\program files\TVAnts
2009-04-07 09:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-30 20:04 <DIR> --d----- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-03-13 13:38 135,150 a------- c:\windows\hpwins10.dat
2009-02-24 15:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 15:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 15:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 15:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-13 17:09 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-02-13 17:09 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-13 17:09 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 12:24 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2007-12-09 20:31 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-09-24 09:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat

============= FINISH: 17:59:34.31 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/8/2007 7:47:53 PM
System Uptime: 4/13/2009 3:33:32 PM (2 hours ago)

Motherboard: IBM | | 2378R4U
Processor: Intel(R) Pentium(R) M processor 1.60GHz | None | 1598/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 13.705 GiB free.
E: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_05591014&REV_01\3&61AAA01&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_05591014&REV_01\3&61AAA01&0&FE
Service:

==== System Restore Points ===================

RP225: 1/22/2009 8:17:36 PM - System Checkpoint
RP226: 1/23/2009 9:35:39 PM - System Checkpoint
RP227: 1/25/2009 3:48:39 PM - System Checkpoint
RP228: 1/26/2009 6:26:36 PM - System Checkpoint
RP229: 1/28/2009 12:05:38 AM - System Checkpoint
RP230: 1/29/2009 12:22:27 AM - System Checkpoint
RP231: 1/30/2009 12:01:35 PM - System Checkpoint
RP232: 1/31/2009 3:50:05 PM - System Checkpoint
RP233: 2/1/2009 5:26:30 PM - System Checkpoint
RP234: 2/2/2009 7:31:42 PM - System Checkpoint
RP235: 2/3/2009 10:37:18 PM - System Checkpoint
RP236: 2/5/2009 11:21:59 AM - System Checkpoint
RP237: 2/6/2009 11:41:45 AM - System Checkpoint
RP238: 2/9/2009 1:39:26 AM - System Checkpoint
RP239: 2/10/2009 10:21:12 AM - System Checkpoint
RP240: 2/12/2009 12:55:09 AM - System Checkpoint
RP241: 2/12/2009 9:04:30 AM - Software Distribution Service 3.0
RP242: 2/13/2009 2:29:35 PM - System Checkpoint
RP243: 2/14/2009 5:36:20 PM - System Checkpoint
RP244: 2/16/2009 12:21:50 AM - System Checkpoint
RP245: 2/17/2009 1:38:45 AM - System Checkpoint
RP246: 2/18/2009 11:14:02 AM - System Checkpoint
RP247: 2/19/2009 2:10:12 PM - System Checkpoint
RP248: 2/21/2009 2:27:55 PM - Removed Checker 200 Series
RP249: 2/23/2009 3:45:52 PM - System Checkpoint
RP250: 2/24/2009 5:52:51 PM - System Checkpoint
RP251: 2/25/2009 8:04:47 PM - System Checkpoint
RP252: 2/26/2009 3:00:23 AM - Software Distribution Service 3.0
RP253: 2/27/2009 9:28:50 AM - System Checkpoint
RP254: 3/8/2009 10:20:09 PM - Installed Java(TM) 6 Update 11
RP255: 3/9/2009 11:31:28 PM - System Checkpoint
RP256: 3/11/2009 12:07:22 AM - System Checkpoint
RP257: 3/11/2009 2:00:38 AM - Software Distribution Service 3.0
RP258: 3/12/2009 10:06:07 AM - System Checkpoint
RP259: 3/13/2009 10:42:28 AM - System Checkpoint
RP260: 3/16/2009 7:59:13 PM - System Checkpoint
RP261: 3/18/2009 3:05:28 PM - System Checkpoint
RP262: 3/19/2009 5:29:10 PM - System Checkpoint
RP263: 3/21/2009 9:00:23 AM - Software Distribution Service 3.0
RP264: 3/23/2009 12:35:06 AM - System Checkpoint
RP265: 3/24/2009 10:14:37 PM - System Checkpoint
RP266: 3/26/2009 12:59:34 PM - System Checkpoint
RP267: 3/27/2009 1:01:54 PM - System Checkpoint
RP268: 3/28/2009 3:32:55 PM - System Checkpoint
RP269: 3/31/2009 9:41:07 PM - System Checkpoint
RP270: 4/2/2009 2:22:14 AM - System Checkpoint
RP271: 4/3/2009 5:18:28 PM - System Checkpoint
RP272: 4/4/2009 5:52:06 PM - System Checkpoint
RP273: 4/5/2009 11:20:32 PM - System Checkpoint
RP274: 4/7/2009 9:30:25 AM - Installed Java(TM) 6 Update 13
RP275: 4/8/2009 4:12:27 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
5700_Help
AAC Decoder
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
AIM 6
ATI Control Panel
ATI Display Driver
AutoUpdate
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
BPD_Scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Critical Update for Windows Media Player 11 (KB959772)
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DocProc
DocProcQFolder
eSupportQFolder
Fax
H.264 Decoder
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Officejet All-In-One Series
HP Photosmart Essential
HP Product Assistant
HP Solution Center 8.0
HP Update
HPProductAssistant
IBM ThinkPad Power Management Driver
IBM ThinkPad UltraNav Driver
Intel(R) PRO Network Connections Drivers
InterActual Player
J5700
Java(TM) 6 Update 13
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LiveUpdate 3.1 (Symantec Corporation)
MATLAB Family of Products Release 14
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
ProductContext
RealPlayer
Scan
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Software Update for Web Folders
SolutionCenter
Spy Sweeper
Spy Sweeper Core
Status
Symantec AntiVirus
The KMPlayer (remove only)
Toolbox
TrayApp
TVAnts 1.0
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

4/6/2009 12:58:22 PM, error: Dhcp [1002] - The IP address lease 192.168.2.9 for the Network Card with network address 0012F0C4D6A9 has been denied by the DHCP server 168.81.156.1 (The DHCP Server sent a DHCPNACK message).
4/6/2009 1:56:48 PM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.0.12. The machine with the IP address 192.168.0.20 did not allow the name to be claimed by this machine.
4/6/2009 1:59:30 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0012F0C4D6A9. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
4/7/2009 9:20:31 AM, error: Service Control Manager [7034] - The MATLAB Server service terminated unexpectedly. It has done this 1 time(s).
4/13/2009 10:18:30 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/13/2009 10:18:31 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

 

Hi and welcome


Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.


Please download [color= "#FF0000"] GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
NEXT**
Please download RegQuery by Noviciate to your desktop

• Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
  • [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
• Double click RegQuery.exe to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply
• You may now close the RegQuery program

~~~~~~~~~~~~~~~~~~~~~~
NEXT**
Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



In your next reply post:
GooredLog.txt
RegQuery log
Malwarebytes' Anti-Malware log


You may need several replies to post the requested logs, otherwise they might get cut off.

 

Juliet,

Thanks for helping out. I was able to do everything except run the Malawarebytes program. It will not open in windows. Attached in this post is the Gooredfix notepad file. In the next post I will post the RegQuery file.

GooredFix v1.92 by jpshortstuff
Log created at 12:10 on 14/04/2009 running Option #1 (Chris)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins "= "C:\Program Files\Mozilla Firefox\plugins "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components "= "C:\Program Files\Mozilla Firefox\components "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com "= "C:\Program Files\Java\jre6\lib\deploy\jqs\ff "

 

Juliet,

Here is the RegQuery file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"VIDC.I420 "= "msh263.drv "
"vidc.iv31 "= "ir32_32.dll "
"vidc.iv32 "= "ir32_32.dll "
"vidc.iv41 "= "ir41_32.ax "
"VIDC.IYUV "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVU9 "= "tsbyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.l3acm "= "l3codecx.acm "
"MSVideo8 "= "VfWWDM32.dll "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

 

malware removal

I am new to this site and very minimally computer literate. I have read the recommendations for getting rid of the google redirection problem but all of it is way over my head. Is there someone who can link to my computer and fix this problem?

 

dav, check your private messages.

jsalsa77, let's continue.

Uninstall MBAM, we'll try it again renaming it this time.


Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

When asked to save to desktop change the download name to MalwareBytes.com

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.





NEXT**
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.


In your next reply post:
Malwarebytes' Anti-Malware log
ComboFix.txt
New HJT log

 

Juliet,

MalwareBytes still wont work. Any other ideas to get it to work?

 

Continue with the next step, ComboFix.

 

I just created an account for this specific purpose. Have the same problem.

GooresLog:

GooredFix v1.92 by jpshortstuff
Log created at 16:18 on 14/04/2009 running Option #1 (Lele's PC KEEP OUT!!)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins "= "C:\Program Files\Mozilla Firefox\plugins "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components "= "C:\Program Files\Mozilla Firefox\components "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b} "= "C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758} "= "C:\Program Files\Real\RealPlayer\browserrecord "


Regquery:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.msadpcm "= "msadp32.acm "
"midimapper "= "midimap.dll "
"wavemapper "= "msacm32.drv "
"VIDC.UYVY "= "msyuv.dll "
"VIDC.YUY2 "= "msyuv.dll "
"VIDC.YVYU "= "msyuv.dll "
"VIDC.IYUV "= "iyuv_32.dll "
"vidc.i420 "= "iyuv_32.dll "
"VIDC.YVU9 "= "tsbyuv.dll "
"msacm.l3acm "= "C:\\Windows\\System32\\l3codeca.acm "
"vidc.cvid "= "iccvid.dll "
"msacm.siren "= "sirenacm.dll "
"MSVideo8 "= "VfWWDM32.dll "
"VIDC.FPS1 "= "frapsvid.dll "
"msacm.vorbis "= "vorbis.acm "
"VIDC.XFR1 "= "xfcodec.dll "
"vidc.tscc "= "tsccvid.dll "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"aux "= "wdmaud.drv "
"wave3 "= "wdmaud.drv "
"mixer3 "= "wdmaud.drv "
"wave1 "= "wdmaud.drv "
"mixer1 "= "wdmaud.drv "
"wave2 "= "wdmaud.drv "
"midi1 "= "wdmaud.drv "
"mixer2 "= "wdmaud.drv "
"aux1 "= "wdmaud.drv "


Malwarebytes' Anti-Malware does not work either. Any help?



Edit: After running combofix, wait for it to do its magic.

Then, the system will automatically reboot.

After reboot, let it do its magic again.

After it is done, then the window will close and your computer will freeze (at least that's what happened to me).

After force rebooting it, the problem was fixed.

 

Juliet,

Here is the ComboFix.txt. and HJT log.

ComboFix 09-04-15.03 - Chris 04/14/2009 19:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.45 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\Rename.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxctqkhylgqghdkepvcuievohdjnplmxget.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcqcwunvalalahnvopejkodlyksewvnydr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 23:17 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 23:17 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 23:17 . 2009-04-14 23:17 -------- d-----w c:\program files\yoyo
2009-04-14 23:17 . 2009-04-14 23:17 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 22:39 . 2009-04-14 22:39 -------- d--h--w c:\windows\PIF
2009-04-13 21:37 . 2009-04-13 21:37 -------- d-----w c:\program files\Trend Micro
2009-04-13 20:34 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-13 20:28 . 2009-04-13 20:28 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-13 20:27 . 2009-04-13 20:34 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-13 20:27 . 2009-04-13 20:27 -------- d-----w c:\program files\Lavasoft
2009-04-13 19:27 . 2009-04-13 19:27 -------- d-----w c:\program files\MSSOAP
2009-04-13 19:25 . 2009-02-14 16:08 1553784 ----a-w c:\windows\WRSetup.dll
2009-04-13 19:25 . 2009-04-13 19:37 -------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-04-13 19:25 . 2009-04-13 19:25 -------- d-----w c:\documents and settings\Chris\Application Data\Webroot
2009-04-13 19:25 . 2009-04-13 19:25 -------- d-----w c:\program files\Webroot
2009-04-07 13:35 . 2009-04-07 13:34 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-31 00:04 . 2009-03-31 00:05 -------- d-----w c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 23:58 . 2007-12-09 00:57 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-14 21:56 . 2007-12-09 00:49 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2009-04-14 21:56 . 2007-12-09 00:49 16384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2009-04-13 19:32 . 2008-09-15 04:56 -------- d-----w c:\documents and settings\Chris\Application Data\uTorrent
2009-04-13 18:53 . 2009-02-02 20:38 -------- d-----w c:\program files\Google
2009-04-13 18:53 . 2007-12-09 00:47 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-13 18:47 . 2007-12-09 00:47 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-07 13:32 . 2008-03-21 23:32 -------- d-----w c:\program files\Java
2009-03-31 00:08 . 2007-12-10 08:01 -------- d-----w c:\program files\DivX
2009-03-21 19:00 . 2008-02-13 23:56 -------- d-----w c:\documents and settings\Chris\Application Data\U3
2009-03-13 17:38 . 2007-12-09 05:56 135150 ----a-w c:\windows\hpwins10.dat
2009-03-11 07:01 . 2008-01-28 02:04 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-26 18:02 . 2008-05-07 00:43 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-09 11:13 . 2008-10-15 02:05 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2007-09-06 20:25 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-16 16:24 . 2007-12-09 06:13 3596288 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-06 03:51 . 2007-12-09 06:06 68840 ----a-w c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-12-10 00:31 . 2007-12-10 00:31 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools "= "c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant "= "c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-12-06 344064]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-04-07 148888]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-31 185896]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SpySweeper "= "c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-02-14 6308728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix "= "shell32" [X]
"nltide_3 "= "advpack.dll" - c:\windows\system32\advpack.dll [2008-12-20 124928]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=

R3 chckr2xx;Checker 200 Series Driver;c:\windows\system32\Drivers\chckr2xx.sys [2007-11-15 15744]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-15 116416]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-02-13 29808]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-04-13 1180976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49358f7b-c249-11dd-969d-0012f0c4d6a9}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{741518f3-da74-11dc-961e-0012f0c4d6a9}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-13 c:\windows\Tasks\wrSpySweeper_LA41CD75F00D843DFB2E00BE1CAE049B3.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-13 16:08]

2009-04-13 c:\windows\Tasks\wrSpySweeper_LA41CD75F00D843DFB2E00BE1CAE049B3.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-04-13 16:08]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-Media Codec Update Service - c:\program files\Essentials Codec Pack\update.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/intl/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {6250C8B9-5F08-4208-AE9C-B6456B61A058} = 216.254.95.2,216.231.41.2
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\yicwkuee.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/|foxnews.com
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 20:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-15 20:09
ComboFix-quarantined-files.txt 2009-04-15 00:09

Pre-Run: 14,681,366,528 bytes free
Post-Run: 14,733,807,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

171 --- E O F --- 2009-03-21 13:07









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:20 PM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20978)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] "c:\PROGRA~1\SYMANT~1\VPTray.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe "
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe "
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe "
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6250C8B9-5F08-4208-AE9C-B6456B61A058}: NameServer = 216.254.95.2,216.231.41.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 7693 bytes

 

Wait... have you checked if the problem still exists. As with my post above, it worked after a ran ComboFix.

 

megamouth sorry to hear your having issues as well.
Not a good idea to run and use instructions designed for someone else, can cause damage to your machine.

Although your computer might be running better it's a good idea to have your logs examined.

To do so, please start your own topic and post the logs created.
An Advisor will help you as soon as possible.


**jsalsa77**, let's continue.

Since you've run ComboFix have you tried to run MBAM again?



Let's close an exploit/vulnerability.

Your version of Adobe is out of date.

You can obtain the latest version of Adobe Reader from [color= "red"]here[/color], and the latest version of Flash Player from [color= "red"]here[/color].
For more information and links to Adobe updates and downloads click [color= "red"]here[/color].



Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.


Please disable SpySweeper, as it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.
If you have Spy Sweeper version 4:

* Open it, Click Options over on the left, then Program options
* Uncheck load at windows startup.
* Over to the left, Click shields and Uncheck all there.
* Uncheck home page shield.
* Uncheck automatically restore default without notification.
* Reboot your machine for the changes to take effect before running HJT.




Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean.

To disable Ad-Watch:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch ".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic ".

• 
  Active: Switches Monitoring On or Off without closing
  Automatic: Switches Automatic Blocking On or Off

3. Uncheck (red X) both items.



NEXT**
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.


The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
(HP software updates. If a shortcut doesn't exist, create your own and run it manually)

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre6\bin\jusched.exe\ "
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [TkBellExe] \ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \ "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\ "
(Description: Adobe reader startup - unnecessarily uses system resources.)



A reboot is required to set the registry.



NEXT**
Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


How's the computer now?

 

Juliet,

Here are the logs, I was able to run the MalwareBytes scan and did so after the Kaspersky scan and before the HijackThis scan.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 15, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 15, 2009 19:09:46
Records in database: 2047877
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
E:\
G:\

Scan statistics:
Files scanned: 120761
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:07:50


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05C80000\4DFDDB30.VBN Infected: Backdoor.Win32.Inject.gn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07FC0000\4FFCCAB0.VBN Infected: Trojan.Win32.Monder.oyp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FBC0000\4FFE7401.VBN Infected: Trojan.Win32.Monder.oyp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcqcwunvalalahnvopejkodlyksewvnydr.dll.vir Infected: Trojan.Win32.Agent2.hoq 1

The selected area was scanned.

 

Malware Scan

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 3

4/15/2009 5:38:20 PM
mbam-log-2009-04-15 (17-38-20).txt

Scan type: Quick Scan
Objects scanned: 78369
Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

HijackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:15 PM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21020)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] "c:\PROGRA~1\SYMANT~1\VPTray.exe "
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe "
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6250C8B9-5F08-4208-AE9C-B6456B61A058}: NameServer = 216.254.95.2,216.231.41.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6838 bytes

 

What KASPERSKY ONLINE found is held in quarantine folders, we'll deal with those shortly.


How's the computer now?

 

Juliet,

The computer seems to be running great. Google no longer redirects.

 

Good deal

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine ..You can delete the contents inside this folder


Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Go to Start > Run > copy and paste the full text path in the run box


"%userprofile%\desktop\combofix.exe" /u




I think your good to go, good job!



Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

Juliet,

Thanks for everything. I will recommend this site to anyone else who has problems.

 

Glad we could help