Solved Search engine redirects, slowing down of internet

[Resolved] Search engine redirects, slowing down of internet

Lately my internet speed has really been bogged down. This started the same time as when my searches started redirecting to other websites when I clicked on them. This only happens in internet explorer. For example, when I search "Windowsbbs" the correct search results show up but the link to your website is:
hxxp://adservices10.enhance.com/cdm...5b5UINDFq&k=windowsbbs&ui=468148268183410178I

Even if I click it again without refreshing the page it now takes me to:
hxxp://dioxide-lot.info/search.php?aid=13866&said=61-v2test7&keyword=windowsbbs&ipr=&rej=1

In that second one mcafee blocked a script being executed by explorer.exe.

I can browse normally but my connection does seem to be a lot slower than a week or so ago. Here is my log from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:05, on 9/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Ahead\InCD\InCDsrv.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\McAfee\Common Framework\FrameworkService.exe
I:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
I:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
I:\WINDOWS\system32\nvsvc32.exe
i:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
I:\Program Files\lg_fwupdate\fwupdate.exe
I:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
I:\WINDOWS\system32\RUNDLL32.EXE
I:\Program Files\Windows Live\Messenger\msnmsgr.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\Program Files\Ventrilo\Ventrilo.exe
I:\Program Files\McAfee\Common Framework\UdaterUI.exe
I:\Program Files\McAfee\Common Framework\McTray.exe
I:\Program Files\Windows Live\Messenger\usnsvc.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - I:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - I:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [LGODDFU] "I:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [ShStatEXE] "I:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [inrhct0oj0egfc] I:\Documents and Settings\Owner\Local Settings\Temp\.tt1A.tmp.exe /CR=5F8C0875B49BA02BB503A8EC828A17BC9B46241D2B9804C2240F731FC4FFDD36A0103FEBE0658FCD0FE18D8E6CD9F31E2D7B67342F9AA9A30208EBF1848213388CA33B492C451DA9F7B989EA52F3B04CF1
O4 - HKCU\..\Run: [NVIDIA nTune] "I:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [msnmsgr] "I:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: I:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155785986781
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - I:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - I:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - I:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - I:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - I:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - I:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe

--
End of file - 5375 bytes

Also, I checked how many connections I have and sometimes when I'm browsing my computer has over 1500 connections to it, 1300 or so which are stuck in CLOSE_WAIT. Once I close them manually everything speeds up again until they go into CLOSE_WAIT. Thanks

 

Hi erroneous
Welcome to Windowsbbs.

Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Thanks
Geri

 

Neither of those links work for me, possibly part of my problem. Can you verify or maybe give me another source to download?

Edit:
Ok, so I found out the websites work by asking a friend to see if bleepingcomputer.com works. And when I ping I get a response.

Another part of the problem is when sometimes firefox will give me an error saying "Content Encoding Error ". But it will work if I refresh the page two or three times. So many problems... =\

 

Hi
OK please do it this way.

1. Click noahdfear's Rename ComboFix.
2. If it launches a file download dialog for download_file.exe from noahdfear.net, click Run.
3. download_file.vbs file should appear on the desktop, and shortly there-after a renamed copy of ComboFix.
4. Please note that the vbs file is recognized by some security programs as a Trojan-Downloader.JS and may try to block it. I assure you, the file is safe. So please allow it.
5. If successful, double click the renamed ComboFix and follow the prompts.

Please post the log.

Thanks
Geri

 

WOW that fixed the redirect problem and random pages not loading. And now those two links actually work. While it was running my antivirus detected 5 or 6 files and deleted them. Should I disable it and redo the combofix program? Here's the log anyway:


ComboFix 08-09-25.03 - Owner 2008-09-26 2:44:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1511 [GMT -3:00]
Running from: I:\Documents and Settings\Owner\Desktop\FomboCix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\Documents and Settings\Owner\Application Data\inst.exe
I:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
I:\WINDOWS\system32\MSINET.oca
I:\WINDOWS\system32\tdssinit.dll
I:\WINDOWS\system32\tdssl.dll
I:\WINDOWS\system32\tdssservers.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-24 12:55 . 2008-09-24 13:00 <DIR> d-------- I:\fixwareout
2008-09-22 11:24 . 2008-09-22 11:30 54,156 --ah----- I:\WINDOWS\QTFont.qfn
2008-09-22 11:24 . 2008-09-22 11:30 1,409 --a------ I:\WINDOWS\QTFont.for
2008-09-18 00:44 . 2008-09-18 00:44 3,416 --a------ I:\WINDOWS\system32\PerfStringBackup.TMP
2008-09-17 17:51 . 2008-09-17 17:52 <DIR> d-------- I:\Program Files\Spybot - Search & Destroy
2008-09-17 17:51 . 2008-09-18 00:43 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 16:44 . 2008-09-17 16:44 <DIR> d-------- I:\Program Files\Trend Micro
2008-09-17 16:24 . 2008-09-17 16:24 <DIR> d-------- I:\WINDOWS\system32\scripting
2008-09-17 16:24 . 2008-09-17 16:24 <DIR> d-------- I:\WINDOWS\system32\en
2008-09-17 16:24 . 2008-09-17 16:24 <DIR> d-------- I:\WINDOWS\system32\bits
2008-09-17 16:24 . 2008-09-17 16:24 <DIR> d-------- I:\WINDOWS\l2schemas
2008-09-17 16:23 . 2008-09-17 16:23 <DIR> d-------- I:\WINDOWS\ServicePackFiles
2008-09-17 16:19 . 2008-09-17 16:19 <DIR> d-------- I:\WINDOWS\EHome
2008-09-17 14:08 . 2008-09-17 14:23 2,156 --a------ I:\WINDOWS\system32\tmp.reg
2008-09-12 22:11 . 2008-09-12 22:11 <DIR> d---s---- I:\Program Files\HLSW
2008-09-12 22:11 . 2008-09-22 23:08 <DIR> d-------- I:\Documents and Settings\Owner\Application Data\HLSW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-26 05:53 --------- d-----w I:\Program Files\lg_fwupdate
2008-09-26 05:08 --------- d-----w I:\Program Files\Steam
2008-09-24 17:52 --------- d-----w I:\Documents and Settings\Owner\Application Data\uTorrent
2008-09-19 18:36 --------- d--h--w I:\Program Files\InstallShield Installation Information
2008-09-19 18:36 --------- d-----w I:\Program Files\Rockstar Games
2008-09-09 22:16 --------- d-----w I:\Program Files\Diablo
2008-09-01 05:17 --------- d-----w I:\Documents and Settings\Owner\Application Data\Xfire
2008-09-01 05:13 --------- d-----w I:\Program Files\Xfire
2008-08-19 10:38 --------- d-----w I:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-08-19 06:11 --------- d-----w I:\Program Files\Bethesda Softworks
2008-08-19 05:40 --------- d-----w I:\Program Files\UltraISO
2008-08-19 05:40 --------- d-----w I:\Program Files\Common Files\EZB Systems
2008-08-19 05:19 107,888 ----a-w I:\WINDOWS\system32\CmdLineExt.dll
2008-08-19 05:15 --------- d-----w I:\Program Files\DAEMON Tools
2008-08-19 05:01 685,816 ----a-w I:\WINDOWS\system32\drivers\sptd.sys
2008-08-16 06:44 --------- d-----w I:\Program Files\DivX
2008-08-13 08:44 --------- d-----w I:\Documents and Settings\Owner\Application Data\AdobeUM
2008-08-12 22:08 42,320 ----a-w I:\WINDOWS\system32\xfcodec.dll
2008-08-09 12:29 --------- d-----w I:\Program Files\Fraps
2008-08-09 12:25 --------- d-----w I:\Program Files\Unreal Tournament 2004
2008-08-05 16:13 --------- d-----w I:\Program Files\Java
2008-07-25 08:36 524,288 ----a-w I:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w I:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w I:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w I:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w I:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-19 01:10 94,920 ----a-w I:\WINDOWS\system32\cdm.dll
2008-07-19 01:10 53,448 ----a-w I:\WINDOWS\system32\wuauclt.exe
2008-07-19 01:10 45,768 ----a-w I:\WINDOWS\system32\wups2.dll
2008-07-19 01:10 36,552 ----a-w I:\WINDOWS\system32\wups.dll
2008-07-19 01:09 563,912 ----a-w I:\WINDOWS\system32\wuapi.dll
2008-07-19 01:09 325,832 ----a-w I:\WINDOWS\system32\wucltui.dll
2008-07-19 01:09 205,000 ----a-w I:\WINDOWS\system32\wuweb.dll
2008-07-19 01:09 1,811,656 ----a-w I:\WINDOWS\system32\wuaueng.dll
2008-07-19 01:07 270,880 ----a-w I:\WINDOWS\system32\mucltui.dll
2008-07-19 01:07 210,976 ----a-w I:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w I:\WINDOWS\system32\es.dll
2008-07-01 08:44 43,520 ----a-w I:\WINDOWS\system32\CmdLineExt03.dll
2008-06-28 03:37 131,072 ----a-w I:\WINDOWS\system32\SpoonUninstall.exe
2007-06-10 20:32 47,360 ----a-w I:\Documents and Settings\Owner\Application Data\pcouffin.sys
2004-10-01 18:00 40,960 ----a-w I:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune "= "I:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"msnmsgr "= "I:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGODDFU "= "I:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-10 249856]
"ShStatEXE "= "I:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"NvCplDaemon "= "I:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter "= "I:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
"nwiz "= "nwiz.exe" [2007-12-05 I:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "I:\\WINDOWS\\system32\\logonuiX.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1 "= xfcodec.dll
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=I:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=I:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\I:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=I:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=I:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
--a------ 2004-04-26 17:21 270336 I:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-16 08:24 167368 I:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-03-23 17:06 1398272 I:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
--a------ 2002-09-03 19:38 987187 I:\Program Files\WinCustomize\LogonStudio\LogonStudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2008-03-14 04:00 136512 I:\Program Files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 21:12 1695232 I:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 I:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 I:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
--a------ 2007-11-02 17:36 5223752 I:\Program Files\Pando Networks\Pando\pando.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2004-04-21 10:26 86016 I:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 I:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 I:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-08-18 18:41 1832272 I:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 I:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 07:43 69632 I:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2005-01-07 17:07 61952 I:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 02:41 1626112 I:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2005-10-14 06:51 14864384 I:\WINDOWS\RTHDCPL.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"I:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe "=
"I:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe "=
"I:\\WINDOWS\\system32\\dplaysvr.exe "=
"I:\\Program Files\\uTorrent\\utorrent.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"I:\\Program Files\\Steam\\SteamApps\\mr210787\\counter-strike source\\hl2.exe "=
"I:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe "=
"I:\\Program Files\\Pando Networks\\Pando\\pando.exe "=
"I:\\Program Files\\Maple 10\\jre\\bin\\maple.exe "=
"I:\\Program Files\\Maple 10\\jre\\bin\\java.exe "=
"I:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"I:\\Program Files\\EA Games\\MOHAA\\MOHAA.exe "=
"I:\\Program Files\\Steam\\SteamApps\\mr210787\\counter-strike\\hl.exe "=
"I:\\Program Files\\Starcraft\\StarCraft.exe "=
"I:\\Program Files\\Steam\\SteamApps\\mr210787\\condition zero\\hl.exe "=
"I:\\Program Files\\Steam\\SteamApps\\mr210787\\ricochet\\hl.exe "=
"I:\\Program Files\\VideoLAN\\VLC\\vlc.exe "=
"I:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI.SP4a\\Win32\\RpcDataSrv.exe "=
"I:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI.SP4a\\RpcSandraSrv.exe "=
"I:\\Program Files\\Messenger\\msmsgs.exe "=
"I:\\Program Files\\Diablo\\Diablo.exe "=
"I:\\Program Files\\Steam\\Steam.exe "=
"I:\\Program Files\\GameSpy Arcade\\Aphex.exe "=
"I:\\Program Files\\Xfire\\xfire.exe "=
"I:\\WINDOWS\\system32\\dpvsetup.exe "=
"I:\\Program Files\\Steam\\SteamApps\\mr210787\\half-life 2\\hl2.exe "=
"I:\\Program Files\\Steam\\SteamApps\\mr210787\\half-life 2 deathmatch\\hl2.exe "=
"I:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe "=
"I:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe "=
"I:\\Program Files\\HLSW\\hlsw.exe "=
"I:\\Program Files\\Steam\\SteamApps\\alucard_iv\\counter-strike source\\hl2.exe "=
"I:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"I:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"J:\\Program Files\\mIRC\\mirc.exe "=

S4 msvsmon80;Visual Studio 2005 Remote Debugger;I:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-inrhct0oj0egfc - I:\Documents and Settings\Owner\Local Settings\Temp\.tt1A.tmp.exe
MSConfigStartUp-ares - I:\Program Files\Ares\Ares.exe
MSConfigStartUp-HDDHealth - I:\Program Files\HDD Health\HDDHealth.exe
MSConfigStartUp-lphcp0oj0egfc - I:\WINDOWS\system32\lphcp0oj0egfc.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - I:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9rogx0iw.default\
FF -: plugin - I:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - I:\Program Files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 02:52:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
I:\Program Files\Ahead\InCD\InCDsrv.exe
I:\Program Files\McAfee\Common Framework\FrameworkService.exe
I:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
I:\Program Files\McAfee\Common Framework\naPrdMgr.exe
I:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
I:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
I:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
I:\Program Files\McAfee\Common Framework\Mctray.exe
I:\FomboCix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-26 3:04:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-26 06:04:16

Pre-Run: 44,764,762,112 bytes free
Post-Run: 44,720,578,560 bytes free

228 --- E O F --- 2008-09-18 15:51:54

 

Hi
OK that looks good.

Lets get a on line scan.

Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Now the scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 27, 2008 00:51:44
Records in database: 1264419
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
I:\

Scan statistics:
Files scanned: 182192
Threat name: 3
Infected objects: 2
Suspicious objects: 1
Duration of the scan: 02:59:04


File name / Threat name / Threats count
I:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
I:\Documents and Settings\Owner\My Documents\Prog\download_file.exe Suspicious: Trojan-Downloader.JS.gen 1
I:\Documents and Settings\Owner\My Documents\Prog\Nero-6.6.1.15a.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bm 1

The selected area was scanned.

 

Hi
OK those are not so bad.
Any reason why you did a scan of this only? and not "My Computer" as suggested.
Scan area - Folder:
I:\


Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below. (If present)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.


Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.


Please delete these.
I:\fixwareout
SmitfraudFix.exe

Empty your recycle bin.


I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Malware and Virus removal.

Let me know how things are running.

Geri.

 

I have a second hard drive, a maxtor 100gb(drive J), that's a few years old and all I use it for now is to backup stuff for school. I haven't used any of the applications on it in years so I excluded it. As for the torrent programs, I usually stick to private trackers but I still understand the risk. This is actually the first infection I've had on this computer in 3 years and if it starts to act up again I'd have no problem letting go of the torrents as I rarely use it anymore anyway. All seems fine so far, thanks again.

 

Hi

OK, good you're welcome.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

I'll mark this one resolved.

Surf Safely
Geri