Solved Google links redirecting

tcatalano · 2009/03/10

[Resolved] Google links redirecting

Hello all,

Ive recently been browsing this forum and it seems that you have a great success rate when it comes to Malware removal. So here it goes:

Recently when i click links in google it will bring me to an adversiting website or some sort. I'm not sure if I should post all these logs, but they can't hurt.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:47 PM, on 3/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3812 bytes

"Silent Runners.vbs ", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Aim6" = " "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp" [ "AOL LLC"]
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = " "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" " [ "Nero AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"SunJavaUpdateSched" = " "C:\Program Files\Java\jre6\bin\jusched.exe" " [ "Sun Microsystems, Inc."]
"Adobe Reader Speed Launcher" = " "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" " [ "Adobe Systems Incorporated"]
"NeroFilterCheck" = "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [ "Nero AG"]
"NBKeyScan" = " "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" " [ "Nero AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub "
-> {HKLM...CLSID} = "Adobe PDF Link Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" [ "Adobe Systems Incorporated"]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper "
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" [ "Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl "
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" [ "Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete "
-> {HKLM...CLSID} = "IE Microsoft AutoComplete "
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band "
-> {HKLM...CLSID} = "History Band "
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler "
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler "
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler "
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler "
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO "
-> {HKLM...CLSID} = "PowerISO "
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" [ "PowerISO Computing, Inc."]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons "
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class "
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" [ "Nero AG"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler "
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" [ "Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler "
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" [ "Nero AG"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945} "
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter "
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler "
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" [ "Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} "
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" [ "Nero AG"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} "
-> {HKLM...CLSID} = "PowerISO "
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" [ "PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} "
-> {HKLM...CLSID} = "PowerISO "
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" [ "PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} "
-> {HKLM...CLSID} = "PowerISO "
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" [ "PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Tom Catalano\Application Data\Mozilla\Firefox\Desktop Background.bmp "

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3 "
"InvokeProgID" = "Adobe.adobebridge "
"InvokeVerb" = "launch "
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" [ "Adobe Systems, Inc."]

EHomeMusicDropTarget\
"Provider" = "Media Center "
"InvokeProgID" = "EHomeDropTarget.EHomeMusicDropTarget "
"InvokeVerb" = "play "
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeMusicDropTarget\shell\play\DropTarget\CLSID = "{ED87EFF3-FF22-404E-B2BD-BC3841BDCB2C} "
-> {HKLM...CLSID} = "EHomeMusicDropTarget Class "
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomePhotosHandler\
"Provider" = "Media Center "
"InvokeProgID" = "EHomeDropTarget.EHomePhotosHandler "
"InvokeVerb" = "play "
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomePhotosHandler\shell\play\DropTarget\CLSID = "{4b7601c1-d292-4902-89f4-583a5ce0c535} "
-> {HKLM...CLSID} = "EHomePhotosHandler Class "
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideoDropTarget\
"Provider" = "Media Center "
"InvokeProgID" = "EHomeDropTarget.EHomeVideoDropTarget "
"InvokeVerb" = "play "
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell\play\DropTarget\CLSID = "{A48E70A4-8E15-4465-9D85-CCE9E63F8AAB} "
-> {HKLM...CLSID} = "EHomeVideoDropTarget Class "
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideosHandler\
"Provider" = "Media Center "
"InvokeProgID" = "EHomeDropTarget.EHomeVideosHandler "
"InvokeVerb" = "play "
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideosHandler\shell\play\DropTarget\CLSID = "{4f61ec50-acef-4ae7-b4c6-b19bddc0f745} "
-> {HKLM...CLSID} = "EHomeVideosHandler Class "
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

NeroAutoPlay8AudioToNeroDigital\
"Provider" = "Nero Burning ROM "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" [ "Nero AG"]

NeroAutoPlay8CDAudio\
"Provider" = "Nero Express "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" [ "Nero AG"]

NeroAutoPlay8CopyCD\
"Provider" = "Nero Burning ROM "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /DialogiscCopy %L" [ "Nero AG"]

NeroAutoPlay8DataDisc_CD\
"Provider" = "Nero Express "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" [ "Nero AG"]

NeroAutoPlay8DataDisc_DVD\
"Provider" = "Nero Express "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /MediaVD %L" [ "Nero AG"]

NeroAutoPlay8LaunchNeroStartSmart\
"Provider" = "Nero StartSmart "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" [ "Nero AG"]

NeroAutoPlay8PlayAudioCD\
"Provider" = "Nero ShowTime "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" [ "Nero AG"]

NeroAutoPlay8PlayDVD\
"Provider" = "Nero ShowTime "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" [ "Nero AG"]

NeroAutoPlay8RipCD\
"Provider" = "Nero Burning ROM "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" [ "Nero AG"]

NeroAutoPlay8TranscodeVideo\
"Provider" = "Nero Recode "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" [ "Nero AG"]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision "
"ProgID" = "Shell.HWEventHandlerShellExecute "
"InitCmdLine" = " "C:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture "
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} "
-> {HKLM...CLSID} = "ShellExecute HW Event Handler "
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer "
"InvokeProgID" = "Nero.AutoPlay8 "
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival "
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" [ "Nero AG"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" [ "Apple Computer, Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research "
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research "

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, " "C:\Program Files\Bonjour\mDNSResponder.exe" " [ "Apple Computer, Inc."]
Java Quick Starter, JavaQuickStarterService, " "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" " [ "Sun Microsystems, Inc."]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" [ "Nero AG"]
NMIndexingService, NMIndexingService, " "C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe" " [ "Nero AG"]
Viewpoint Manager Service, Viewpoint Manager Service, " "C:\Program Files\Viewpoint\Common\ViewpointService.exe" " [ "Viewpoint Corporation"]

---------- (launch time: 2009-03-10 17:17:13)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 41 seconds, including 4 seconds for message boxes)

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tom Catalano at 17:39:19.39 on Tue 03/10/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.647 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tom Catalano\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe "
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tomcat~1\applic~1\mozilla\firefox\profiles\bhmh1ey9.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-6 24652]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-3-7 50944]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-3-10 33752]

=============== Created Last 30 ================

2009-03-10 17:18 <DIR> --d----- C:\!KillBox
2009-03-10 03:21 69 a------- c:\windows\NeroDigital.ini
2009-03-10 02:52 <DIR> --d----- c:\program files\Nero
2009-03-10 02:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-03-08 11:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-03-08 11:13 <DIR> --d----- c:\program files\PowerISO
2009-03-08 10:54 <DIR> --d----- c:\program files\Bonjour
2009-03-08 10:49 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-03-08 09:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-08 09:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-08 09:49 <DIR> --d----- c:\program files\Trend Micro
2009-03-08 09:10 <DIR> --d----- c:\windows\SHELLNEW
2009-03-07 21:20 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-07 19:41 <DIR> --d----- c:\program files\QuickWatch
2009-03-07 19:40 <DIR> --d----- c:\program files\VirtualDJ
2009-03-07 19:34 50,944 a------- c:\windows\system32\drivers\vrtaucbl.sys
2009-03-07 19:34 <DIR> --d----- c:\program files\Virtual Audio Cable
2009-03-07 15:39 <DIR> --d-h--- c:\windows\PIF
2009-03-07 00:00 765,952 a------- c:\windows\system32\xvidcore.dll
2009-03-07 00:00 77,824 a------- c:\windows\system32\xvid.ax
2009-03-07 00:00 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-03-07 00:00 <DIR> --d----- c:\program files\Xvid
2009-03-06 20:31 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-06 20:31 <DIR> --d----- c:\windows\system32\Adobe
2009-03-06 20:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SwiftKit
2009-03-06 20:20 <DIR> --d----- c:\program files\SwiftKit
2009-03-06 20:08 <DIR> --d----- c:\windows\.mpr_file_store_32
2009-03-06 20:08 664 a------- c:\windows\system32\d3d9caps.dat
2009-03-06 19:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-03-06 19:58 <DIR> --d----- c:\program files\Viewpoint
2009-03-06 19:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-03-06 19:57 <DIR> --d----- c:\program files\common files\AOL
2009-03-06 19:55 <DIR> --d----- c:\program files\AIM6
2009-03-06 19:55 446 a---h--- C:\IPH.PH
2009-03-06 17:08 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-06 15:49 <DIR> --d----- c:\program files\Ventrilo
2009-03-06 15:49 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-03-06 15:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-06 15:44 <DIR> --d----- c:\program files\uTorrent
2009-03-06 15:44 <DIR> --d----- c:\docume~1\tomcat~1\applic~1\uTorrent
2009-03-06 15:20 34 a------- c:\documents and settings\tom catalano\jagex_runescape_preferences.dat
2009-03-06 15:19 <DIR> --d----- c:\windows\.jagex_cache_32
2009-03-06 15:15 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 15:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-06 15:11 1,902 -------- c:\windows\system32\SetupBD.din
2009-03-06 15:10 <DIR> --ds---- c:\documents and settings\tom catalano\UserData
2009-03-06 15:10 180,736 a------- c:\windows\system32\drivers\e1e5132.sys
2009-03-06 15:10 163,840 a------- c:\windows\system32\e1000msg.dll
2009-03-06 15:10 126,976 a------- c:\windows\system32\Prounstl.exe
2009-03-06 15:10 23,040 a------- c:\windows\system32\IntelNic.dll
2009-03-06 15:10 17,408 a------- c:\windows\system32\EtCoInst.dll
2009-03-06 15:10 2,740 a------- c:\windows\system32\e1e5132.din
2009-03-06 15:10 <DIR> --d----- C:\drvrtmp
2009-03-06 14:54 396 ---shr-- C:\autorun.inf
2009-03-06 14:51 26,496 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-03-06 07:04 <DIR> --d----- c:\windows\RegisteredPackages
2009-03-06 07:03 46,592 -------- c:\windows\system32\drivers\irbus.sys
2009-03-06 07:03 19,200 -------- c:\windows\system32\drivers\hidir.sys
2009-03-06 07:02 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-03-06 07:02 <DIR> --d----- C:\33b9a3317f2fcc9284e53a4b
2009-03-06 07:01 <DIR> --d----- c:\windows\system32\URTTemp
2009-03-05 23:30 <DIR> --d----- c:\documents and settings\Tom Catalano
2009-03-05 23:29 <DIR> --ds---- c:\windows\system32\Microsoft
2009-03-05 23:29 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-05 23:27 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-03-05 23:26 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2009-03-05 23:25 <DIR> --d----- C:\DELL
2009-03-05 23:24 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-03-05 23:24 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-03-05 23:24 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-03-05 23:24 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-05 23:24 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-03-05 23:24 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-05 23:24 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-05 23:24 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-05 23:24 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-03-05 23:24 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-05 23:24 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-03-05 23:24 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-05 23:24 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-03-05 23:23 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-05 23:21 <DIR> --d----- c:\program files\Online Services
2009-03-05 23:21 <DIR> --d----- c:\program files\Windows Plus
2009-03-05 23:20 <DIR> --d----- c:\program files\Messenger
2009-03-05 23:20 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-05 23:19 <DIR> --d----- c:\program files\Windows NT
2009-03-05 18:16 <DIR> --d----- c:\program files\common files\ODBC
2009-03-05 18:16 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-05 18:15 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-03-07 01:41 87,747 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-05 23:21 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 17:39:26.39 ===============

Juliet · 2009/03/14

Hi and welcome

Looking over your log, it seems you don't have any evidence of an anti-virus software.
We need to get an Antivirus on this machine.

I can give you links to free Antivirus and Firewall programs which are used by a very many.
What you'll probably have to do is experiment some what to find one that runs well on your machine.

Avira
Here is a tutorial on it's setup and use:
http://www.techsupportforum.com/content/Se...rticles/64.html

Avast!
How to Install, Configure, and Use Avast Antivirus

AVG Free ,
Help overview http://free.grisoft.com/doc/5/us/frt/0/num/616#faq_616
This is a very useful read:
http://grandstreamdreams.blogspot.com/2008/04/taming-avg-free-version-8.html

Never install more than one antivirus scanner or firewall on your system

Please download [color= "#FF0000"] GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Double-click GooredFix.exe to run it.

Select 1. Find Goored (no fix) by typing 1 and pressing Enter.

A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

In your next reply post:
GooredLog.txt
Malwarebytes' Anti-Malware log
New HJT log

tcatalano · 2009/03/14

I installed Avast successfully and that's running in the background now. I downloaded malware bytes and installed that also, but when i click the malwarebytes anti-malware icon on my desktop, nothing happens, no egg timer or anything. I uninstalled then downloaded the setup file and reinstalled again, and the problem persists. Here's the 2 logs you asked for though:

GooredFix v1.92 by jpshortstuff
Log created at 13:23 on 14/03/2009 running Option #1 (Tom Catalano)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins "= "C:\Program Files\Mozilla Firefox\plugins "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components "= "C:\Program Files\Mozilla Firefox\components "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com "= "C:\Program Files\Java\jre6\lib\deploy\jqs\ff "

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:11 PM, on 3/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.26,85.255.112.73
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4311 bytes

Juliet · 2009/03/15

Welcome back

Save these instructions to wordpad/notepad or print them out, while some of the fix will have all windows closed and will help you complete all the necessary steps.

Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Yes and press Enter

Notes

1. If you use SpywareBlaster and/or IE-SPYAD it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS.

NEXT**
Open the SmitfraudFix folder again on your desktop

Select option #5 - "Search and Clean DNS Hijack" by typing 5 and pressing "Enter" to delete the rogue settings.

Follow the prompts and reboot if asked to do so.

NEXT**
Delete Malwarebytes again.
Download again except this time when saving to desktop I want you to rename it.
Instead of Malwarebytes' Anti-Malware.exe, Rename it to Malwarebytes' Anti-Malware.com

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

In your next reply post:
Smitfraud rapport.txt
Malwarebytes' Anti-Malware log
New HJT log

tcatalano · 2009/03/15

Alright, so here is the new set of logs. With SmartFraudFix I ran it as you said. and got this:

SmitFraudFix v2.403

Scan done at 11:22:27.91, Sun 03/15/2009
Run from C:\Documents and Settings\Tom Catalano\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Intel(R) PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 85.255.112.26
DNS Server Search Order: 85.255.112.73

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.40 24.92.226.41
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.112.26,85.255.112.73

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

I though it was odd that it didn't say anything for DNS After Fix so I ran choice 5 again and got this:

SmitFraudFix v2.403

Scan done at 11:24:11.89, Sun 03/15/2009
Run from C:\Documents and Settings\Tom Catalano\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Description: Intel(R) PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.92.226.40
DNS Server Search Order: 24.92.226.41

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: DhcpNameServer=24.92.226.40 24.92.226.41

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: Intel(R) PRO/1000 PL Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.92.226.40
DNS Server Search Order: 24.92.226.41

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B0CE2EC1-B01B-4645-9A5A-65219065A531}: DhcpNameServer=24.92.226.40 24.92.226.41

In hindsight, I probably shouldn't have messed with it, I hope I didn't make it worse.

Here's the other two logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:03 AM, on 3/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4466 bytes

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/15/2009 11:34:35 AM
mbam-log-2009-03-15 (11-34-35).txt

Scan type: Quick Scan
Objects scanned: 58742
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-8-5-23-100020928-100008100-100017811-4554.com (Trojan.Agent) -> Quarantined and deleted successfully.

Juliet · 2009/03/15

Welcome back

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad ".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546
Additional info: http://vil.nai.com/vil/content/v_137262.htm
A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application.
If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.
Your call
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the
following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player

Before we take any other steps, how the computer now?

tcatalano · 2009/03/17

When i click links in google the links are still redirecting, even though I uninstalled all Viewpoint's and rebooted.

Juliet · 2009/03/17

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Right click on the avast! icon in system tray (looks like this: a ) and choose (Stop On-Access Protection)
Click to expand...

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

** Please Note:
At times ComboFix may appear to stall, please be patient.

When finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a DDS log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

tcatalano · 2009/03/17

My google links aren't being redirected anymore!!!

Thank you so much for your time and devotion, I think its great that you help people you have never met and probably never will. Your posts with the different colors of text were also useful. The single most helpful thing was your simply perfect directions, when I downloaded each program you had a step by step tutorial that used nearly the exact words that each program uses.

One suggestion though:
You asked me to rename Malwarebytes, so I renamed the shortcut and that obviously didnt work. So i realized that I have to go to the actual .exe and change that name. So in the future, you might want to say something like this?

1. Right click the shortcut and go to properties.
2. Follow the path where it says "Target ", and rename that file.

Just a suggestion, I think it will make it that much easier for some people that might not have know what to do there.

You have been nothing but kind and helpful, Thanks again.

I don't see any more problems with my computer, but here's the combofix log anyway.

ComboFix 09-03-15.01 - Tom Catalano 2009-03-17 23:08:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.763 [GMT -4:00]
Running from: c:\documents and settings\Tom Catalano\Desktop\Comb-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\gaopdxdojpsopsuvptaosvnobiymxrguhkjxdo.sys
c:\windows\system32\drivers\gaopdxtakvstjlqbuyavdyxvqmixbeplhrmqvt.sys
c:\windows\system32\drivers\gaopdxtfmskuwktaxxnkeqhopabdieewfogwmd.sys
c:\windows\system32\drivers\gaopdxvbuyfvkilxrrdhashborudoyksrrjkxt.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\e1000msg.dll
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxpeynyqlkxjcuunjcjsnqgdiplrsmjerl.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-15 11:31 . 2009-03-15 11:31 <DIR> d-------- c:\documents and settings\Tom Catalano\Application Data\Malwarebytes
2009-03-15 11:28 . 2009-03-15 11:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-15 11:28 . 2009-03-15 11:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-15 11:28 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 11:28 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-14 20:43 . 2009-03-14 20:44 <DIR> d-------- c:\program files\SXS Sniffer
2009-03-14 13:29 . 2009-03-14 13:29 <DIR> d-------- c:\program files\Alwil Software
2009-03-14 13:29 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-11 21:44 . 2009-03-11 21:44 <DIR> d-------- c:\program files\VideoLAN
2009-03-11 21:44 . 2009-03-11 21:46 <DIR> d-------- c:\documents and settings\Tom Catalano\Application Data\vlc
2009-03-10 21:04 . 2009-03-10 21:04 <DIR> d-------- c:\program files\IObit
2009-03-10 21:04 . 2009-03-10 21:15 <DIR> d-------- c:\documents and settings\Tom Catalano\Application Data\IObit
2009-03-10 18:18 . 2009-03-10 18:18 <DIR> d-------- C:\!KillBox
2009-03-10 04:21 . 2009-03-17 15:54 69 --a------ c:\windows\NeroDigital.ini
2009-03-10 03:57 . 2009-03-10 03:57 <DIR> d-------- c:\documents and settings\Tom Catalano\Application Data\Nero
2009-03-10 03:52 . 2009-03-10 03:52 <DIR> d-------- c:\program files\Nero
2009-03-10 03:52 . 2009-03-10 03:55 <DIR> d-------- c:\program files\Common Files\Nero
2009-03-10 03:52 . 2009-03-10 03:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-03-10 03:00 . 2009-03-10 03:00 <DIR> d-------- c:\program files\NOS
2009-03-10 03:00 . 2009-03-10 03:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-10 02:13 . 2009-03-10 02:13 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-08 12:59 . 2009-03-08 12:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-03-08 12:13 . 2009-03-08 12:13 <DIR> d-------- c:\program files\PowerISO
2009-03-08 11:58 . 2009-03-08 11:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-08 11:54 . 2009-03-08 11:54 <DIR> d-------- c:\program files\Bonjour
2009-03-08 11:49 . 2009-03-08 11:49 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-08 10:52 . 2009-03-11 22:27 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-08 10:52 . 2009-03-11 22:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 10:49 . 2009-03-08 10:49 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 10:12 . 2009-03-08 10:12 <DIR> d-------- c:\program files\Microsoft Works
2009-03-08 10:11 . 2009-03-08 10:11 <DIR> d-------- c:\program files\Microsoft.NET
2009-03-08 10:10 . 2009-03-08 10:10 <DIR> d-------- c:\windows\SHELLNEW
2009-03-08 10:09 . 2009-03-08 10:09 <DIR> dr-h----- C:\MSOCache
2009-03-08 10:09 . 2009-03-08 10:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-07 22:20 . 2009-03-07 22:20 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-07 20:41 . 2009-03-07 20:41 <DIR> d-------- c:\program files\QuickWatch
2009-03-07 20:34 . 2009-03-07 20:34 <DIR> d-------- c:\program files\Virtual Audio Cable
2009-03-07 20:34 . 2009-03-07 20:34 50,944 --a------ c:\windows\system32\drivers\vrtaucbl.sys
2009-03-07 16:57 . 2009-03-10 01:56 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-07 16:39 . 2009-03-07 16:39 <DIR> d--h----- c:\windows\PIF
2009-03-07 01:00 . 2009-03-07 01:00 <DIR> d-------- c:\program files\Xvid
2009-03-07 01:00 . 2008-04-27 11:33 765,952 --a------ c:\windows\system32\xvidcore.dll
2009-03-07 01:00 . 2008-04-27 11:35 180,224 --a------ c:\windows\system32\xvidvfw.dll
2009-03-07 01:00 . 2007-06-28 19:55 77,824 --a------ c:\windows\system32\xvid.ax
2009-03-06 21:31 . 2009-03-06 21:31 <DIR> d-------- c:\windows\system32\Adobe
2009-03-06 21:31 . 2009-01-16 19:34 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-03-06 21:20 . 2009-03-16 14:36 <DIR> d-------- c:\program files\SwiftKit
2009-03-06 21:20 . 2009-03-06 21:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\SwiftKit
2009-03-06 21:08 . 2009-03-06 21:08 <DIR> d-------- c:\windows\.mpr_file_store_32
2009-03-06 21:08 . 2009-03-15 00:02 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-06 20:58 . 2009-03-17 18:12 <DIR> d-------- c:\program files\Viewpoint
2009-03-06 20:58 . 2009-03-06 20:58 <DIR> d-------- c:\documents and settings\Tom Catalano\Application Data\acccore
2009-03-06 20:58 . 2009-03-17 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-06 20:58 . 2009-03-06 20:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-03-06 20:58 . 2009-03-06 20:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2009-03-06 20:58 . 2009-03-06 20:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-03-06 20:57 . 2009-03-06 20:57 <DIR> d-------- c:\program files\Common Files\AOL
2009-03-06 20:55 . 2009-03-06 20:58 <DIR> d-------- c:\program files\AIM6
2009-03-06 20:55 . 2009-03-07 16:38 <DIR> d-------- c:\documents and settings\Tom Catalano\Application Data\Ventrilo
2009-03-06 20:55 . 2009-03-06 20:58 446 --ah----- C:\IPH.PH
2009-03-06 18:09 . 2009-03-06 18:09 <DIR> d-------- c:\documents and settings\Tom Catalano\Application Data\Media Player Classic
2009-03-06 18:08 . 2004-01-11 18:00 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-03-06 16:49 . 2009-03-06 16:49 <DIR> d-------- c:\program files\Ventrilo
2009-03-06 16:49 . 2009-03-06 16:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-06 16:49 . 2009-03-06 16:49 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-03-06 16:44 . 2009-03-06 16:44 <DIR> d-------- c:\program files\uTorrent
2009-03-06 16:44 . 2009-03-16 18:04 <DIR> d-------- c:\documents and settings\Tom Catalano\Application Data\uTorrent
2009-03-06 16:20 . 2009-03-17 18:22 34 --a------ c:\documents and settings\Tom Catalano\jagex_runescape_preferences.dat
2009-03-06 16:19 . 2009-03-06 16:19 <DIR> d-------- c:\windows\Sun
2009-03-06 16:19 . 2009-03-08 22:44 <DIR> d-------- c:\windows\.jagex_cache_32
2009-03-06 16:15 . 2009-03-06 16:15 <DIR> d-------- c:\program files\Java
2009-03-06 16:15 . 2009-03-06 16:15 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-06 16:15 . 2009-03-06 16:15 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-06 16:13 . 2009-03-06 16:13 0 --a------ c:\windows\nsreg.dat
2009-03-06 16:11 . 2003-11-03 20:15 1,902 --------- c:\windows\system32\SetupBD.din
2009-03-06 16:10 . 2009-03-06 16:11 <DIR> d-------- C:\drvrtmp
2009-03-06 16:10 . 2009-03-06 16:10 <DIR> d---s---- c:\documents and settings\Tom Catalano\UserData
2009-03-06 16:10 . 2005-03-31 18:04 180,736 --a------ c:\windows\system32\drivers\e1e5132.sys
2009-03-06 16:10 . 2005-03-09 17:22 126,976 --a------ c:\windows\system32\Prounstl.exe
2009-03-06 16:10 . 2005-03-08 19:26 23,040 --a------ c:\windows\system32\IntelNic.dll
2009-03-06 16:10 . 2005-03-10 12:49 17,408 --a------ c:\windows\system32\EtCoInst.dll
2009-03-06 16:10 . 2004-12-07 14:26 2,740 --a------ c:\windows\system32\e1e5132.din
2009-03-06 15:51 . 2004-08-04 00:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-06 08:03 . 2005-06-28 19:43 46,592 --------- c:\windows\system32\drivers\irbus.sys
2009-03-06 08:03 . 2005-06-28 19:43 19,200 --------- c:\windows\system32\drivers\hidir.sys
2009-03-06 08:02 . 2009-03-06 08:02 <DIR> d-------- C:\33b9a3317f2fcc9284e53a4b
2009-03-06 08:02 . 2005-02-24 14:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-03-06 08:01 . 2009-03-06 08:01 <DIR> d-------- c:\windows\system32\URTTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 04:26 --------- d-----w c:\program files\microsoft frontpage
2009-03-06 04:21 --------- d-----w c:\program files\Windows Plus
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-06 148888]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck "= "c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan "= "c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=

R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-03-07 50944]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-10 33752]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Tom Catalano\Application Data\Mozilla\Firefox\Profiles\bhmh1ey9.default\
FF - prefs.js: browser.startup.homepage - google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 23:10:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-17 23:11:14
ComboFix-quarantined-files.txt 2009-03-18 03:11:08

Pre-Run: 172,186,324,992 bytes free
Post-Run: 172,549,345,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

182

Juliet · 2009/03/18

Welcome back

Thank you so much for your time and devotion
Click to expand...

Your very welcome

Download again except this time when saving to desktop I want you to rename it.
Click to expand...

I must have been poor at explaining how to do that.
I actually wanted it renamed as the new install was being saved to desktop.

Logs are looking better, just a tiddle bit left to do.

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition
files.

After the files have been downloaded on the left side of the page in the Scan section select My Computer.

This will start the program and scan your system.

The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run

You may need several replies to post the requested logs, otherwise they might get cut off.

Please give me an update on how the computer is at the moment

tcatalano · 2009/03/18

I don't see any problems with the computer right now. When I try stream video it works slower than usual but I don't know if that's related.

I didnt know how to post this log so I copied all the text from the .html:

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 18, 2009 20:32:33
Records in database: 1930143
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 112152
Threat name 2
Infected objects 2
Suspicious objects 0
Duration of the scan 01:41:35

File name Threat name Threats count
C:\Documents and Settings\Tom Catalano\My Documents\Downloads\Virtual DJ 5.2 Pro +Add-On Pack\VDJ Pro 5.2.exe Infected: Trojan-Downloader.Win32.VB.kzu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaopdxpeynyqlkxjcuunjcjsnqgdiplrsmjerl.dll.vir Infected: Trojan-Spy.Win32.Small.cbd 1
The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:39 PM, on 3/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 3830 bytes

Juliet · 2009/03/19

I apologize for the late reply, I didn't receive email notification.

We're at the end now.

Kaspersky found an infected application/file that needs to go.

Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:

Select - Show hidden files and folders.

Uncheck- Hide protected operating system files (recommended) option.

Also, make sure there is no checkmark beside Hide file extensions for known file types.

Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore "), please navigate to and delete the following files/folders in bold

C:\Documents and Settings\Tom Catalano\My Documents\Downloads\Virtual DJ 5.2 Pro +Add-On Pack\VDJ Pro 5.2.exe <--delete this file
If the above file is associated with hacked or cracked software, We do not approve of nor support illegal software.

NEXT**
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre6\bin\jusched.exe\ "
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \ "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\ "
(Description: Adobe reader startup - unnecessarily uses system resources.)

Now please reboot your computer to set the registgry.

Before we give instructions to do final clean up, please post once more and let me know how the computer is at the moment.

tcatalano · 2009/03/19

I didn't see any problems before, and I still don't. Everything seems to be running smoothly.

Juliet · 2009/03/19

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Click START then RUN

Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below

You can uninstall/delete any other tools or scanners I had you install and use.

Your good to go, good job!

Please take the time to read over a few of my preventive tips.

Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.

Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

tcatalano · 2009/03/20

Thanks again, you really have been great!

Juliet · 2009/03/20

Glad we could help.

Log in or Sign up

Solved Google links redirecting

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Log in or Sign up

Solved Google links redirecting

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

tcatalano Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Useful Searches