Solved homepage keeps changing to bing.zugo.com

gideon01 · 2010/03/21

[Resolved] homepage keeps changing to bing.zugo.com

i just reinstalled windows xp, in one of the windows updates that i installed i got the bing toolbar.
i uninstalled the toolbar with ccleaner but my home page keeps changing to bing.zugo every time i open any of my internet browsers. i use firefox my wife uses explorer 8.

i ran sboybot ,combofix,malwarebytes and all say that they remove it after the scan but when i open a browser it changes my homepage to bing.zugo. even after i reboot after a scan .

my antivirus that i use is avg, a scan with that also says it removes it but its still there when i open a browser.

anyone got any ideas on how to get rid of this?

i posted a combofix log and the other dds log but it said a mod had to aprov those before it would be shown?

wildfire · 2010/03/21

Hi gideon01, welcome to WindowsBBS

As indicated at the start of this forum, please *** READ THIS BEFORE POSTING IN THIS FORUM *** then post the requested logs in this thread.

NOTES:

No shortcuts
Click to expand...

When posting the logs ensure word wrap is switched off (in notepad Uncheck Format->Word Wrap) as this makes them difficult to read.

Be aware that only Malware analysts will advise and they are often busy. Your post will be taken on a first come first served basis but it may take a while before you receive a reply.

gideon01 · 2010/03/21

logs inc

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/20/2010 11:49:48 PM
System Uptime: 3/21/2010 5:40:01 PM (0 hours ago)

Motherboard: Dell Inc. | | 0J3492
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 128.753 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 3/20/2010 11:52:40 PM - System Checkpoint
RP2: 3/20/2010 11:56:22 PM - Installed SoundMAX
RP3: 3/20/2010 11:56:26 PM - Installed SoundMAX
RP4: 3/20/2010 11:58:17 PM - Installed Broadcom Gigabit Integrated Controller
RP5: 3/20/2010 10:59:34 PM - Installed Java 2 Runtime Environment, SE v1.4.2_03
RP6: 3/20/2010 11:00:13 PM - Installed Broadcom Advanced Control Suite 2
RP7: 3/20/2010 11:04:32 PM - Software Distribution Service 3.0
RP8: 3/20/2010 11:13:06 PM - Software Distribution Service 3.0
RP9: 3/20/2010 11:33:41 PM - Software Distribution Service 3.0
RP10: 3/20/2010 11:58:40 PM - Installed AVG Free 9.0
RP11: 3/21/2010 12:08:46 AM - Software Distribution Service 3.0
RP12: 3/21/2010 1:18:57 AM - Installed iTunes
RP13: 3/21/2010 1:22:57 AM - Installed EverQuest II
RP14: 3/21/2010 8:36:28 AM - Avg8 Update
RP15: 3/21/2010 8:37:49 AM - Avg Update

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
Bonjour
Broadcom Advanced Control Suite 2
Broadcom Gigabit Integrated Controller
CCleaner
Dell ResourceCD
EverQuest II
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Intel Application Accelerator
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 16
LimeWire PRO 5.4.8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6)
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
QuickTime
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SoundMAX
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
WinSCP 4.2.7

==== Event Viewer Messages From Past Week ========

3/21/2010 5:40:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde

==== End Of File ===========================

gideon01 · 2010/03/21

more logs

DDS (Ver_10-03-17.01) - NTFSx86
Run by home at 17:41:48.31 on Sun 03/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1482 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\home\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\search toolbar\tbcore3.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll ",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\lkk0n11m.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://bing.zugo.com/?cfg=2-80-0-CIZV
FF - prefs.js: keyword.URL - hxxp://bing.zugo.com/s/?src=FF-Address&site=Bing&cfg=2-80-0-CIZV&q=
FF - component: c:\program files\mozilla firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - c:\program files\mozilla firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-20 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-20 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-20 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-21 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-21 308064]

=============== Created Last 30 ================

2010-03-21 19:41:06 0 d-sha-r- C:\cmdcons
2010-03-21 19:39:36 98816 ----a-w- c:\windows\sed.exe
2010-03-21 19:39:36 77312 ----a-w- c:\windows\MBR.exe
2010-03-21 19:39:36 261632 ----a-w- c:\windows\PEV.exe
2010-03-21 19:39:36 161792 ----a-w- c:\windows\SWREG.exe
2010-03-21 19:39:29 0 d-----w- C:\ComboFix
2010-03-21 18:41:29 0 d-----w- c:\docume~1\home\applic~1\Malwarebytes
2010-03-21 18:41:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 18:41:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-21 18:41:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 18:41:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 12:37:42 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-21 07:19:17 0 d-----w- c:\windows\pss
2010-03-21 07:02:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Toolbar4
2010-03-21 06:38:55 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-03-21 06:38:55 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-03-21 06:38:55 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-03-21 06:38:54 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-03-21 06:25:24 0 d-----w- c:\program files\WinSCP
2010-03-21 06:21:19 0 d-----w- c:\docume~1\home\applic~1\Windows Search
2010-03-21 06:17:20 0 d-----w- c:\docume~1\home\applic~1\LimeWire
2010-03-21 06:16:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-21 06:16:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-21 06:16:17 0 d-----w- c:\program files\LimeWire
2010-03-21 05:22:58 0 d-----w- c:\program files\Sony
2010-03-21 05:22:10 0 d-----w- c:\program files\common files\SWF Studio
2010-03-21 05:19:23 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-21 05:19:23 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-21 05:19:03 0 d-----w- c:\program files\iPod
2010-03-21 05:19:00 0 d-----w- c:\program files\iTunes
2010-03-21 05:19:00 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-21 05:18:49 0 d-----w- c:\program files\Bonjour
2010-03-21 05:18:14 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-03-21 05:18:14 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-03-21 04:04:19 0 d-----w- c:\program files\Yahoo!
2010-03-21 04:04:11 0 d-----w- c:\program files\CCleaner
2010-03-21 03:58:41 0 d-----w- c:\program files\AVG
2010-03-21 03:58:41 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-21 03:58:21 0 d-----w- c:\program files\Broadcom
2010-03-21 03:56:26 0 d-----w- c:\program files\Analog Devices
2010-03-21 03:55:41 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-21 03:55:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-21 03:47:32 0 d-sh--w- c:\documents and settings\all users\DRM
2010-03-21 03:47:19 0 d--h--w- c:\program files\WindowsUpdate
2010-03-21 03:46:31 0 d-----w- c:\program files\common files\MSSoap
2010-03-21 03:46:23 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-03-21 03:46:19 0 d-----w- c:\program files\NVIDIA Corporation
2010-03-21 03:45:39 0 d-----w- c:\program files\Online Services
2010-03-21 03:45:37 0 d-----w- c:\program files\Messenger
2010-03-21 03:45:30 0 d-----w- c:\program files\MSN Gaming Zone
2010-03-21 03:44:53 0 d-----w- c:\program files\Windows NT
2010-03-21 03:36:13 0 d-----w- c:\docume~1\home\applic~1\Windows Desktop Search
2010-03-21 03:35:56 0 d-----w- c:\program files\Windows Desktop Search
2010-03-21 03:35:19 0 d-----w- c:\program files\Windows Media Connect 2
2010-03-20 22:42:22 0 d-----w- c:\program files\common files\ODBC
2010-03-20 22:42:19 0 d-----w- c:\program files\common files\SpeechEngines
2010-03-20 22:41:57 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-03-21 12:37:44 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-21 12:37:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-21 03:45:55 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-18 19:04:38 496128 ----a-w- c:\windows\system32\setupv.exe
2010-02-18 09:34:16 1273856 ----a-w- c:\windows\system32\A7xidBuk_-0UPM.dll
2010-01-12 17:03:34 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 17:03:34 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 17:03:34 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 17:03:34 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 17:03:34 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 17:03:34 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 17:03:34 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 17:03:34 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 17:03:34 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 17:03:34 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 17:03:34 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 03:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 03:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 03:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 03:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 03:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 03:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll

============= FINISH: 17:42:34.93 ===============

gideon01 · 2010/03/21

dont know if it will help here is the combofix log

ComboFix 10-03-20.06 - home 03/21/2010 15:41:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1403 [GMT -4:00]
Running from: c:\documents and settings\home\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\tbcore3.dll
c:\program files\Search Toolbar\tbhelper.dll
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\uninstall.exe
c:\program files\Search Toolbar\update.exe
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
c:\windows\system32\C1m_1vze-6w.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-21 18:41 . 2010-03-21 18:41 -------- d-----w- c:\documents and settings\home\Application Data\Malwarebytes
2010-03-21 18:41 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-21 18:41 . 2010-03-21 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-21 18:41 . 2010-03-21 18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-21 18:41 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 12:37 . 2010-03-21 12:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-21 07:06 . 2010-03-21 07:06 0 ----a-w- c:\windows\nsreg.dat
2010-03-21 07:05 . 2010-03-21 07:05 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Mozilla
2010-03-21 07:02 . 2010-03-21 07:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Toolbar4
2010-03-21 07:02 . 2010-01-27 02:04 60592 ----a-w- c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\update.exe
2010-03-21 07:02 . 2010-01-27 02:04 46256 ----a-w- c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\uninstall.exe
2010-03-21 06:38 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-03-21 06:38 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-03-21 06:38 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-03-21 06:38 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-03-21 06:25 . 2010-03-21 06:25 -------- d-----w- c:\program files\WinSCP
2010-03-21 06:21 . 2010-03-21 06:21 -------- d-----w- c:\documents and settings\home\Application Data\Windows Search
2010-03-21 06:16 . 2010-03-21 06:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-21 06:16 . 2010-03-21 06:16 152576 ----a-w- c:\documents and settings\home\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-21 06:16 . 2010-03-21 06:16 -------- d-----w- c:\program files\LimeWire
2010-03-21 05:22 . 2010-03-21 05:22 -------- d-----w- c:\program files\Sony
2010-03-21 05:22 . 2010-03-21 05:22 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-03-21 05:20 . 2010-03-21 05:20 13104 ----a-w- c:\documents and settings\home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-21 05:19 . 2010-03-21 06:39 -------- d-----w- c:\documents and settings\home\Application Data\Apple Computer
2010-03-21 05:19 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-21 05:19 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-21 05:17 . 2010-03-21 05:20 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Apple Computer
2010-03-21 04:09 . 2010-03-21 04:11 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\ApplicationHistory
2010-03-21 04:04 . 2010-03-21 04:04 -------- d-----w- c:\documents and settings\home\Application Data\Yahoo!
2010-03-21 04:04 . 2010-03-21 07:17 -------- d-----w- c:\program files\Yahoo!
2010-03-21 04:04 . 2010-03-21 04:04 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 18:42 . 2010-03-21 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-21 12:37 . 2010-03-21 03:58 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-21 12:37 . 2010-03-21 03:58 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-21 12:37 . 2010-03-21 03:58 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-21 06:38 . 2010-03-21 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-21 06:19 . 2010-03-21 06:17 -------- d-----w- c:\documents and settings\home\Application Data\LimeWire
2010-03-21 06:16 . 2010-03-21 02:59 -------- d-----w- c:\program files\Java
2010-03-21 05:22 . 2010-03-21 03:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-21 05:19 . 2010-03-21 05:19 -------- d-----w- c:\program files\iTunes
2010-03-21 05:19 . 2010-03-21 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-21 05:19 . 2010-03-21 05:19 -------- d-----w- c:\program files\iPod
2010-03-21 05:19 . 2010-03-21 05:17 -------- d-----w- c:\program files\Common Files\Apple
2010-03-21 05:19 . 2010-03-21 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-21 05:18 . 2010-03-21 05:18 -------- d-----w- c:\program files\Bonjour
2010-03-21 05:18 . 2010-03-21 05:18 -------- d-----w- c:\program files\QuickTime
2010-03-21 05:18 . 2010-03-21 05:18 -------- d-----w- c:\program files\Apple Software Update
2010-03-21 04:22 . 2010-03-21 03:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-21 04:20 . 2010-03-21 03:35 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-21 03:58 . 2010-03-21 03:58 -------- d-----w- c:\program files\AVG
2010-03-21 03:58 . 2010-03-21 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-21 03:58 . 2010-03-21 03:58 -------- d-----w- c:\program files\Broadcom
2010-03-21 03:58 . 2010-03-21 03:55 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-21 03:57 . 2010-03-21 03:57 -------- d-----w- c:\program files\Intel
2010-03-21 03:56 . 2010-03-21 03:56 -------- d-----w- c:\program files\Analog Devices
2010-03-21 03:48 . 2010-03-21 03:48 -------- d-----w- c:\program files\microsoft frontpage
2010-03-21 03:46 . 2010-03-21 03:46 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-21 03:46 . 2010-03-21 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-21 03:45 . 2010-03-21 03:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-21 03:39 . 2010-03-21 03:39 -------- d-----w- c:\program files\MSBuild
2010-03-21 03:39 . 2010-03-21 03:39 -------- d-----w- c:\program files\Reference Assemblies
2010-03-21 03:36 . 2010-03-21 03:36 -------- d-----w- c:\documents and settings\home\Application Data\Windows Desktop Search
2010-03-21 03:35 . 2010-03-21 03:35 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-21 03:23 . 2010-03-21 03:47 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-21 02:59 . 2010-03-21 02:59 -------- d-----w- c:\program files\Common Files\Java
2010-03-18 19:04 . 2010-03-18 19:04 496128 ----a-w- c:\windows\system32\setupv.exe
2010-02-18 09:34 . 2010-02-18 09:34 1273856 ----a-w- c:\windows\system32\A7xidBuk_-0UPM.dll
2010-02-15 22:41 . 2010-02-15 22:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-12 17:03 . 2010-03-21 03:12 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-12 17:03 . 2010-01-12 17:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 17:03 . 2010-01-12 17:03 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 17:03 . 2010-01-12 17:03 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 17:03 . 2010-01-12 17:03 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 17:03 . 2010-01-12 17:03 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 17:03 . 2010-01-12 17:03 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 17:03 . 2010-01-12 17:03 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 17:03 . 2010-01-12 17:03 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 17:03 . 2010-01-12 17:03 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 17:03 . 2010-01-12 17:03 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 17:03 . 2008-04-14 00:12 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 03:17 . 2010-01-12 03:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 03:17 . 2010-01-12 03:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 03:17 . 2010-01-12 03:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 03:17 . 2010-01-12 03:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 03:17 . 2010-01-12 03:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 03:17 . 2010-01-12 03:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-12-31 16:50 . 2004-08-12 14:06 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:20 . 2009-12-22 05:20 81920 ------w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"IAAnotif "= "c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2010-03-21 149280]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\documents and settings\home\Start Menu\Programs\Startup\
esport1.exe [2010-3-21 2933866]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-21 12:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^home^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\home\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/20/2010 11:58 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/20/2010 11:58 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/21/2010 8:37 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/21/2010 8:37 AM 308064]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/21/2010 2:41 PM 38224]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2010-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\lkk0n11m.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://bing.zugo.com/?cfg=2-80-0-CIZV
FF - prefs.js: keyword.URL - hxxp://bing.zugo.com/s/?src=FF-Address&site=Bing&cfg=2-80-0-CIZV&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
HKLM-Run-nwiz - nwiz.exe
AddRemove-C1m_1vze-6w - c:\windows\system32\C1m_1vze-6w.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 15:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-21 15:46:04
ComboFix-quarantined-files.txt 2010-03-21 19:46

Pre-Run: 138,226,450,432 bytes free
Post-Run: 138,212,859,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 46219508896AA0D8EF737F60315A175E

gideon01 · 2010/03/21

dont know if it will help malwarebytes log

Database version: 3892
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/21/2010 5:38:17 PM
mbam-log-2010-03-21 (17-38-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152525
Time elapsed: 21 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\home\Start Menu\Programs\Startup\esport1.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\C1m_1vze-6w.exe.vir (Adware.Adrotator) -> Quarantined and deleted successfully.

wildfire · 2010/03/21

You need to post DDS.TXT too, if you already have then give it some time (as a new user your posts are subject to moderation if they contain URL's).

Regarding the P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine.

We are not here to pass judgement on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file sharing as a major conduit to spread their wares and their infections.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
Click to expand...

broni · 2010/03/21

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

==================================================================

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

===================================================================

Open Firefox.
Type the following in address bar:
about:config
Press Enter.

New tab will open.
In "Filter" field paste the following:
keyword.URL
Appropriate line will display below.
Right click on keyword.URL line and click "Reset "

In "Filter" field paste the following:
browser.startup.homepage
Right click on browser.startup.homepage line and click "Reset ".

Restart Firefox and see, if bing.zugo still bothers you.

gideon01 · 2010/03/21

"broni said: ↑

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

==================================================================

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

===================================================================

Open Firefox.
Type the following in address bar:
about:config
Press Enter.

New tab will open.
In "Filter" field paste the following:
keyword.URL
Appropriate line will display below.
Right click on keyword.URL line and click "Reset "

In "Filter" field paste the following:
browser.startup.homepage
Right click on browser.startup.homepage line and click "Reset ".

Restart Firefox and see, if bing.zugo still bothers you.
Click to expand...

that worked for firefox. do i do the same thing for explorer?

gideon01 · 2010/03/21

thanks a TON by the way . this is by far the most helpfull site i have found.

broni · 2010/03/21

You're very welcome

We have to run couple more steps to make sure nothing is hiding

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

gideon01 · 2010/03/21

whats hijack this ? dont have that

broni · 2010/03/21

Ooops....

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

gideon01 · 2010/03/21

Kaspersky freezes

Is kaspersky suppsed to take a wile?
Been downloading the database upgrade for 15 min almost now

nevermind i guess it dont like firefox =(
i started in in explorer and its running great now

broni · 2010/03/21

Yes, it does take time....

gideon01 · 2010/03/21

kaspersky and kijackthis logs

KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, March 21, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, March 21, 2010 22:40:44
Records in database: 3840740
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Scan statistics
Objects scanned 38176
Threats found 1
Infected objects found 2
Suspicious objects found 0
Scan duration 00:50:13

File name Threat Threats count
C:\Program Files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll/C:\Program Files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll Infected: not-a-virus:AdWare.Win32.EZula.alm 1
C:\Program Files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll Infected: not-a-virus:AdWare.Win32.EZula.alm 1
Selected area has been scanned.

gideon01 · 2010/03/21

hujack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:22 PM, on 3/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whtm.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Search Toolbar\tbcore3.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll ",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6304 bytes

broni · 2010/03/21

Please download OTM

Save it to your desktop.

Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Processes

:Services

:Reg

:Files
C:\Program Files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll/C:\Program Files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll 
C:\Program Files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

gideon01 · 2010/03/22

i ran otm but get a error message after i click move it.

invalid time flag [C:\Program Files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll ] must be numerical

broni · 2010/03/22

My mistake.
Please, re-run OTM with the following code:

Code:

:Processes

:Services

:Reg

:Files
C:\Program Files\Mozilla Firefox\extensions\{b213b800-b50c-14f4-a353-7f58602f49f1}\components\--_4f_71L.dll
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

Log in or Sign up

Solved homepage keeps changing to bing.zugo.com

gideon01 Inactive Thread Starter

wildfire Getting Old

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

wildfire Getting Old

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved homepage keeps changing to bing.zugo.com

gideon01 Inactive Thread Starter

wildfire Getting Old

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

wildfire Getting Old

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

gideon01 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches