Active Google Redirect etc also with windows search disabled

smisle · 2009/04/17

[Active] Google Redirect etc also with windows search disabled

I've been having the same google redirect problems as a lot of other posters (any idea where it comes from?) and by following the instructions given was able to get rid of the search redirecting and not being able to open cmd (even though it still shows up in my regquery ... working on that). I'm still having trouble with one thing: I can no longer perform windows searches for files. It just searches forever, finding nothing and not showing what it's searching for in the status bar.

I've run every anti-virus I can think of - none of them have detected a thing - I wasn't able to update until I deleted "rtlesb.bsf" and am running a new scan as I type this out.

Thanks so much!!

here is my RegQuery log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"vidc.I420 "= "msh263.drv "
"vidc.iv31 "= "ir32_32.dll "
"vidc.iv32 "= "ir32_32.dll "
"vidc.iv41 "= "ir41_32.ax "
"vidc.iyuv "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"vidc.uyvy "= "msyuv.dll "
"vidc.yuy2 "= "msyuv.dll "
"vidc.yvu9 "= "tsbyuv.dll "
"vidc.yvyu "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"vidc.DIVX "= "DivX.dll "
"vidc.yv12 "= "DivX.dll "
"aux "= "C:\\WINDOWS\\system32\\..\\rtlesb.bsf "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

==================================
==================================
==================================

and, here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:10 PM, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\MSTMON_P.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Susie\Desktop\RegQuery.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\system32\MSTMON_P.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33BD8424-76D0-45D2-B241-31229EEBB1F5}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{33BD8424-76D0-45D2-B241-31229EEBB1F5}: NameServer = 4.2.2.2,4.2.2.3
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c98cf9d1219d5a) (gupdate1c98cf9d1219d5a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 9422 bytes

smisle · 2009/04/18

DDS logs

I meant to post these yesterday, but my internet stopped working ... hopefully this will go through:

DDS

DDS (Ver_09-03-16.01) - NTFSx86
Run by Susie at 12:28:41.31 on Sat 04/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2674 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\MSTMON_P.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Opera\opera.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\WINDOWS\system32\ping.exe
C:\Documents and Settings\Susie\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\susie\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pidgin] c:\program files\pidgin\pidgin.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe "
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [KONICA MINOLTA magicolor2300WStatusDisplay] c:\windows\system32\MSTMON_P.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
StartupFolder: c:\docume~1\susie\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {33BD8424-76D0-45D2-B241-31229EEBB1F5} = 4.2.2.2,4.2.2.3
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\susie\applic~1\mozilla\firefox\profiles\vv7vr6dy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/url?sa=p&pref=ig&pval=1&q=/webhp%3Frls%3Dig
FF - plugin: c:\documents and settings\susie\application data\mozilla\firefox\profiles\vv7vr6dy.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\susie\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\mozilla firefox 3.1 beta 3\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\mozilla firefox 3.1 beta 3\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-4 11840]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-17 186128]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-4 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-4 151297]
R2 MLPTDR_P;MLPTDR_P;c:\windows\system32\MLPTDR_P.SYS [2003-7-9 20032]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-4 52032]
S2 gupdate1c98cf9d1219d5a;Google Update Service (gupdate1c98cf9d1219d5a);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]

============== File Associations ===============

txtfile= "c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1 "

=============== Created Last 30 ================

2009-04-17 15:17 3,569,696 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-17 15:17 49,544 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-17 15:17 26,400 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-17 15:17 4,304 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-17 15:17 3,895 a------- C:\rollback.ini
2009-04-17 14:59 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-17 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-17 14:44 <DIR> --d----- c:\docume~1\susie\applic~1\Malwarebytes
2009-04-17 14:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-17 14:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-17 14:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 14:41 <DIR> --d----- c:\program files\Trend Micro
2009-04-17 10:01 <DIR> --d----- c:\docume~1\susie\applic~1\STOIK
2009-04-17 10:01 <DIR> --d----- c:\program files\STOIK Imaging
2009-04-17 10:01 <DIR> --d----- c:\program files\common files\ST System Shared
2009-04-16 23:30 <DIR> --d----- c:\program files\Photo Story 3 for Windows
2009-04-16 23:28 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-04-16 23:27 <DIR> --d----- c:\windows\system32\LogFiles
2009-04-16 18:26 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-16 18:22 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:22 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:22 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:22 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:22 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:22 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 18:22 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:22 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:22 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:21 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 18:21 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 18:21 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 23:26 10,044 a------- c:\docume~1\susie\applic~1\wklnhst.dat
2009-04-15 22:20 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-15 22:19 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-15 22:19 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-15 22:19 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-15 22:19 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-15 22:19 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-15 22:19 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-15 22:19 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-14 11:08 <DIR> --d----- c:\windows\SHELLNEW
2009-04-14 11:08 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-04-10 11:13 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-10 10:14 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-04-10 10:13 <DIR> --d----- C:\ATI
2009-04-10 09:33 10 a------- c:\windows\WININIT.INI
2009-04-08 14:06 <DIR> --d----- c:\program files\Mozilla Firefox 3.1 Beta 3
2009-04-02 19:57 <DIR> --d----- c:\docume~1\susie\applic~1\calibre
2009-04-02 19:57 <DIR> --d-h--- c:\program files\InstallJammer Registry
2009-04-02 19:57 <DIR> --d----- c:\program files\calibre
2009-04-01 14:26 <DIR> --d----- c:\docume~1\susie\applic~1\Mobipocket
2009-04-01 14:23 <DIR> --d----- c:\program files\common files\Mobipocket Shared
2009-04-01 14:23 <DIR> --d----- c:\program files\Mobipocket.com
2009-03-28 13:49 <DIR> --d----- c:\program files\Unity
2009-03-23 16:49 <DIR> --d----- c:\docume~1\susie\applic~1\JGsoft
2009-03-21 07:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll
2009-03-20 12:26 <DIR> --d----- c:\program files\iPod
2009-03-20 12:26 <DIR> --d----- c:\program files\iTunes
2009-03-20 12:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-25 15:58 3,565,568 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-02-25 14:42 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-25 14:41 325,120 a------- c:\windows\system32\ati2dvag.dll
2009-02-25 14:30 11,841,536 a------- c:\windows\system32\atioglxx.dll
2009-02-25 14:30 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-02-25 14:29 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-25 14:29 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-25 14:29 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-25 14:29 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-25 14:27 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-02-25 14:26 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-25 14:16 3,817,984 a------- c:\windows\system32\ati3duag.dll
2009-02-25 14:09 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-25 13:59 2,670,080 a------- c:\windows\system32\ativvaxx.dll
2009-02-25 13:58 3,107,788 a------- c:\windows\system32\ativva5x.dat
2009-02-25 13:58 887,724 a------- c:\windows\system32\ativva6x.dat
2009-02-25 13:44 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-25 13:40 475,136 a------- c:\windows\system32\atikvmag.dll
2009-02-25 13:38 126,976 a------- c:\windows\system32\atiadlxx.dll
2009-02-25 13:38 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-25 13:37 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-02-25 13:35 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-25 13:32 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-25 13:32 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-25 13:32 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-25 13:30 3,227,648 a------- c:\windows\system32\aticaldd.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 03:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2009-01-26 10:55 182,995 a------- c:\windows\system32\atiicdxx.dat
2002-09-24 09:24 61,440 a------- c:\windows\inf\i386\onetUSD.dll
2002-07-09 09:23 36,864 a------- c:\windows\inf\i386\Vizmicro.dll
2002-05-20 09:20 172,032 a------- c:\windows\inf\i386\viceo.dll
2002-05-20 09:02 225,280 a------- c:\windows\inf\i386\rtscan.dll
2001-08-03 19:29 13,824 a------- c:\windows\inf\i386\Usbscan.sys
2009-01-04 14:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010420090105\index.dat

============= FINISH: 12:29:14.35 ===============

Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/1/2009 1:47:49 PM
System Uptime: 4/17/2009 10:03:36 PM (14 hours ago)

Motherboard: MSI | | MS-7325
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ | | 2412/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 89 GiB total, 60.392 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 4.15 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 363 GiB total, 179.453 GiB free.
G: is FIXED (NTFS) - 10 GiB total, 9.714 GiB free.
H: is CDROM ()
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Logitech-compatible Mouse PS/2
Device ID: ACPI\PNP0F03\4&2FF81D47&0
Manufacturer: Logitech
Name: Logitech-compatible Mouse PS/2
PNP Device ID: ACPI\PNP0F03\4&2FF81D47&0
Service: i8042prt

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe Acrobat 7.0 Professional
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Master Collection
Adobe CSI CS4
Adobe Default Language CS4
Adobe Dynamiclink Support
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop 7.0
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4 Third Party Content
Adobe Reader 9
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoUpdate
Avira AntiVir Personal - Free Antivirus
AVIVO Codecs
Bonjour
calibre
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Compatibility Pack for the 2007 Office system
Connect
Crayon Physics Deluxe Demo - release 52
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Converter
DivX Player
DivX Version Checker
FileZilla (remove only)
Google Chrome
Google Earth
Google SketchUp 7
Google Update Helper
Google Updater
GTK+ Runtime 2.12.12 rev a (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 7
JGsoft EditPad Pro 6 v.6.0.3
KONICA MINOLTA magicolor2300W
kuler
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Works 6-9 Converter
Mobipocket Creator 4.2
Mobipocket Reader 6.2
Mozilla Firefox (3.0.8)
Mozilla Firefox (3.1b3)
Mozilla Thunderbird (2.0.0.21)
Nero 6 Ultra Edition
NVIDIA Drivers
OneTouch Version 3.0
OpenOffice.org 3.0
Opera 9.63
PaperPort 7.02
PDF Settings CS4
Photo Story 3 for Windows
Photoshop Camera Raw
Pidgin
Pixel Bender Toolkit
QuickTime
Realtek AC'97 Audio
Safari
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Skins
Spybot - Search & Destroy
STOIK Video Converter 2
Suite Shared Configuration CS4
THE SETTLERS - Rise of an Empire Demo
Unity Web Player
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Vuze
WebFldrs XP
Winamp
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

4/18/2009 3:43:19 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer MERCURY that believes that it is the master browser for the domain on transport NetBT_Tcpip_{33BD8424-76D0-45D2-B. The master browser is stopping or an election is being forced.
4/17/2009 4:30:36 PM, error: Service Control Manager [7034] - The plasservice service terminated unexpectedly. It has done this 1 time(s).
4/17/2009 2:13:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/17/2009 2:12:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/17/2009 2:11:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 avgio avipbb Fips ssmdrv
4/17/2009 2:11:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

noahdfear · 2009/04/20

Welcome to WindowsBBS smisle

Highlight and copy the contents of the code box below.
Code:
reg add  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /v aux  /t REG_SZ /d wdmaud.drv /f
exit
cls
Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
The command window will close on it's own.
Restart the computer, then check once again for the presence of the rtlesb.bsf file and delete if found.

Then, do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here. Let me know what, if any, problems persist.

smisle · 2009/04/20

I ran the registry change, and after a reboot no more rtlesb.bsf in the registry.

the searching is still broken - as soon as I get home from work I'll run the online scan, which came up clean the last time I ran it - so we'll see.

During the weekend, another symptom appeared. When my computer is connected to the network, my computer and the other computers connected to the same hub can no longer connect to the internet. I think my computer is spamming either the router/hub or some internet address.

Not sure what to do about that, but in the meantime, I've installed Comodo firewall, and set it to paranoid. I haven't had time to test it yet, as it only manifests when I am on certain websites.

Does anyone know if any of the various web browsers are immune to these effects? I've tried Opera and Firefox (and IE goes without saying) - but not Safari or Google Chrome yet - or any of the lesser known browsers.

Thanks again

noahdfear · 2009/04/20

Lets see what the settings are for the Windows Search utility. Highlight and copy the contents of the code box below.
Code:
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer >temp0
reg query HKLM\SYSTEM\CurrentControlSet\Control\ContentIndex >>temp0
type temp0 | findstr /i  "CaseSensitive IncludeSubFolders SearchHidden SearchSystemDirs SearchSlowFiles FilterFilesWithUnknownExtensions" >temp1
start /wait notepad temp1
del /q temp0
del /q temp1
exit
cls
Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
Shortly, a text file will open.
Copy it's contents and post it here.
The command window will close on it's own once you close the text file.

smisle · 2009/04/21

Here's the result of the reg query about windows search

SearchSystemDirs REG_DWORD 0x0
SearchHidden REG_DWORD 0x0
IncludeSubFolders REG_DWORD 0x1
CaseSensitive REG_DWORD 0x0
SearchSlowFiles REG_DWORD 0x0
FilterFilesWithUnknownExtensions REG_DWORD 0x0

the online scan crashed halfway through, starting it again. Nothing found in the first half of the search.

smisle · 2009/04/21

online scanner finished - no actual threats detected:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 21, 2009 07:27:11
Records in database: 2065177
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 322723
Threat name 3
Infected objects 3
Suspicious objects 0
Duration of the scan 04:18:56

File name Threat name Threats count
F:\Gatehouse\Downloads\mirc617.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
F:\Gatehouse\Downloads\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
F:\Gatehouse\Downloads\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
The selected area was scanned.

=================

so, now what?

noahdfear · 2009/04/21

Lets see if a couple of changes to the Search options produces any results.
Highlight and copy the contents of the code box below.
Code:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer /v SearchHidden /t REG_DWORD /d 1 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer /v SearchSystemDirs /t REG_DWORD /d 1 /f
exit
cls
Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
The command window will close on it's own.
Log off or restart for the changes to take effect, then try doing another search (don't change any advanced options). Try something that we know should work like searching the C: drive for>All Files and folders>Filename: regedit

As for the connection problem - it appears this machine may be a business computer. If so, is it in a domain, and do you have an IT guy?

smisle · 2009/04/22

Changing the search settings didn't do anything - but I did notice that I was able to search *right* after I rebooted, but not after everything had loaded - obviously something was interfering with the search. I went into the registry and disabled Acrobat (which I hate to have pre-load anyway) and my ATI Catalyst Control Center. Then, I rebooted again, and the search works everywhere.

My graphics drivers had been glitching out this last week as well (blue screen of death and infinite loops) so i reinstalled the drivers right before I got the redirect virus. I think this newest version of catalyst is just buggy (which is sad, since they also say they won't update the legacy drivers again) and so I'll go complain at them

I'm not in a business, I just happen to have 8 running computers in my apartment - I'm my own IT person, and I can usually beat these types of things myself - so this was very frustrating.

As for the connection, I "repaired the connection" and that seemed to reset it so that it wasn't glitching anymore. But, as soon as I used my connection, it froze up again, usually in a three replies / three timed-outs pattern:

Pinging 4.2.2.2 with 32 bytes of data:

Request timed out.
Request timed out.
Reply from 4.2.2.2: bytes=32 time=79ms TTL=49
Reply from 4.2.2.2: bytes=32 time=81ms TTL=49
Reply from 4.2.2.2: bytes=32 time=79ms TTL=49
Request timed out.
Reply from 4.2.2.2: bytes=32 time=79ms TTL=49
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 4.2.2.2: bytes=32 time=236ms TTL=49
Reply from 4.2.2.2: bytes=32 time=80ms TTL=49
Reply from 4.2.2.2: bytes=32 time=80ms TTL=49
Reply from 4.2.2.2: bytes=32 time=80ms TTL=49

I installed a firewall, but it hasn't caught anything unusual.

If i boot into Linux, it all works great, so I know it's a software issue.

It all seems very sporadic - sometimes working fine, sometimes not. Other computers on the same router ping fine while mine does not. I think I'll change browsers and see if that makes a difference - I've had some trouble with a few of my firefox add-ons in the past doing wonky stuff.

Unless you have any suggestions about the connection, feel free to mark this as resolved - I don't think it has to do with the virus - just a horrible coincidence. I'll take up the search issue with ATI.

Log in or Sign up

Active Google Redirect etc also with windows search disabled

smisle Inactive Thread Starter

smisle Inactive Thread Starter

noahdfear Inactive

smisle Inactive Thread Starter

noahdfear Inactive

smisle Inactive Thread Starter

smisle Inactive Thread Starter

noahdfear Inactive

smisle Inactive Thread Starter

Share This Page

Log in or Sign up

Active Google Redirect etc also with windows search disabled

smisle Inactive Thread Starter

smisle Inactive Thread Starter

noahdfear Inactive

smisle Inactive Thread Starter

noahdfear Inactive

smisle Inactive Thread Starter

smisle Inactive Thread Starter

noahdfear Inactive

smisle Inactive Thread Starter

Share This Page

Useful Searches