Search engines redirect to false search sites

[Confuzzed]

Alright. I give up and this thing has beat me so far.

My McAfee finally expired and at some time after that my computer caught something. About 1 out of 4 times I click on a link from a search engine (Google, Yahoo, Bing, etc), I get redirected to some phony search engine or some ridiculous site.

I tried a system restore to a month prior to my problem. No avail. I turned off the system restore to eliminate anything that might be lurking in there.

I cleaned up a number of old versions of programs and uninstalled them - mostly the 8 version of Java I had installed.

I can not boot in Safe Mode as I get hung up on Mup.sys. I have tried getting around this by running chkdsk and multiple Anti-Spy-Malware programs. I have run through CCLeaner, cwshredder, HiJack This, Malwarebytes Anti Malware, Spybot Search and Destroy, Spyware Doctor, Super Antispyware, Windows Malious Program Remover (Nov Edition), AVG Antivirus and Ad-Aware. Again, only in normal mode as I can not boot in safe mode - the computer hangs and reboots. Yes I reboot between scans.

The Windows Malicious Program Remover found something and removed it, as did Malwarebytes (in full scan mode) and SuperAntiSpyware.

The rest of the programs shows the computer is clean.

All programs were checked for the most current updates before they were ran.

My problem still exists.

I have tried "fixing" these items in HiJack This but they keet coming back.

O23 - Service: Google Update Service (gupdate1ca4dd75f989ce8) (gupdate1ca4dd75f989ce8) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

Just ran up to date versions of HiJack This, Malwarebytes, and AVG Antivirus. Hope someone can help, Thanks in advance. Here are the logs:

MALWAREBYTES:

Malwarebytes' Anti-Malware 1.41

Database version: 3234

Windows 5.1.2600 Service Pack 3

11/25/2009 6:28:37 PM

mbam-log-2009-11-25 (18-28-37).txt

Scan type: Quick Scan

Objects scanned: 134513

Time elapsed: 36 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:12:03 PM, on 11/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\taskswitch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe

O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1161656023295

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235765052484

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1ca4dd75f989ce8) (gupdate1ca4dd75f989ce8) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 8661 bytes

[kahdah]

Hello Confuzzed

Welcome to Malwarebytes.

=====================

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Under Custom scan's and fixes section paste in the below in bold
  
  netsvcs
  
  
  %SYSTEMDRIVE%\*.exe
  
  
  /md5start
  
  
  eventlog.dll
  
  
  scecli.dll
  
  
  netlogon.dll
  
  
  cngaudit.dll
  
  
  sceclt.dll
  
  
  ntelogon.dll
  
  
  logevent.dll
  
  
  iaStor.sys
  
  
  nvstor.sys
  
  
  atapi.sys
  
  
  IdeChnDr.sys
  
  
  viasraid.sys
  
  
  AGP440.sys
  
  
  vaxscsi.sys
  
  
  nvatabus.sys
  
  
  viamraid.sys
  
  
  nvata.sys
  
  
  nvgts.sys
  
  
  iastorv.sys
  
  
  ViPrt.sys
  
  
  eNetHook.dll
  
  
  /md5stop
  
  
  CREATERESTOREPOINT

  
  

• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    

====================

===========

Download This file. Note its name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  
• Click on this link to see a list of programs that should be disabled.
  
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  
• Allow the driver to load if asked.
  
• You may be prompted to scan immediately if it detects rootkit activity.
  
• If you are prompted to scan your system click "Yes" to begin the scan.
  
• If not prompted, click the "Rootkit/Malware" tab.
  
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  
• Select all drives that are connected to your system to be scanned.
  
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
  
• When the scan is finished, click Save to save the scan results to your Desktop.
  
• Save the file as Results.log and copy/paste the contents in your next reply.
  
• Exit the program and re-enable all active protection when done.
  

[Confuzzed]

I started trying to follow the procedures you listed above, but with the parameters you set the OTL.exe program starts scanning fine but then hangs when trying to scan netsvcs. When I try and close the program a Not Responding error shows up.

I have my AVG Resident Sheild disabled, should I have more of the AVG disabled? Perhaps something else?

Oh, now I am getting popups as well. Oh joy....

[Confuzzed]

I got the GMER to run and here are the results.

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-11-30 13:57:35

Windows 5.1.2600 Service Pack 3

Running: m56rlhin.exe; Driver: C:\DOCUME~1\SL\LOCALS~1\Temp\pxldypow.sys

---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF739BD72]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF737C9A6]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF737CB98]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF739C568]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF739C820]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF739AA80]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF739CC8A]

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF739C036]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF559D0B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [D0, 59, F5] {RCR BYTE [ECX-0xb], 0x1}

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73E07AC]

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6AB5360, 0x24BB1D, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\00002142 -> \Driver\atapi \Device\Harddisk0\DR0 864D850C

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x3D 0xB5 0x1C 0xF1 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{858e1d13-756e-4696-b4bd-f1ba57801dc2}@Model 117

Reg HKLM\SOFTWARE\Classes\CLSID\{858e1d13-756e-4696-b4bd-f1ba57801dc2}@Therad 32

Reg HKLM\SOFTWARE\Classes\CLSID\{858e1d13-756e-4696-b4bd-f1ba57801dc2}@MData 0xE1 0x90 0x6A 0x8E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Hope it helps...

[kahdah]

First temporarily disable any antivirus program or any real time shields that are present:

If you do not know how then you can refer to this link:

http://www.bleepingcomputer.com/forums/topic114351.html

================

Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah.pif then save it to your desktop.

Link 1

Link 2

--------------------------------------------------------------------

Double click on kahdah.pif & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt
  

[Confuzzed]

Well... I followed the link as you suggested and turned off the Resident Sheild as was indicated on older versions of AVG. The Link refers to different versions up to v8.5 and I am running v9.0. I noted my concerns, but figired AVG 9 operated as the older versions.

Anyway, I ran ComboFix as you requested and below is the log. ComboFix did hang during one of the restarts, not sure why, but hopefully it did not screw anything up.

Hope this helps:

________________________________________________________________________

ComboFix 09-11-30.02 - SL 11/30/2009 17:38.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.569 [GMT -8:00]

Running from: c:\documents and settings\SL\Desktop\kahdah.pif

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\WinPCap

c:\program files\WinPCap\rpcapd.exe

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\sstray.exe

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

.

((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))

.

2009-11-30 22:49 . 2009-12-01 00:06 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor

2009-11-30 16:24 . 2009-11-30 16:24 292352 ----a-w- C:\m56rlhin.exe

2009-11-28 17:11 . 2009-11-28 17:11 -------- d-----w- c:\documents and settings\PG\Application Data\Malwarebytes

2009-11-26 22:10 . 2009-11-26 22:04 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2009-11-26 22:10 . 2009-11-26 22:04 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll

2009-11-26 22:10 . 2009-11-26 22:04 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2009-11-26 22:10 . 2009-11-26 22:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2009-11-26 22:04 . 2009-11-26 22:04 -------- d-----w- c:\program files\AVG

2009-11-26 21:45 . 2009-11-26 21:45 3584 ----a-r- c:\documents and settings\SL\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2009-11-26 21:45 . 2009-11-26 21:45 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-11-26 03:01 . 2009-11-10 14:30 15880 ----a-w- c:\windows\system32\lsdelete.exe

2009-11-25 20:21 . 2009-11-25 20:21 117760 ----a-w- c:\documents and settings\SL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-11-25 20:21 . 2009-11-25 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-11-25 20:21 . 2009-11-25 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-11-25 20:21 . 2009-11-25 20:21 -------- d-----w- c:\documents and settings\SL\Application Data\SUPERAntiSpyware.com

2009-11-25 19:29 . 2009-11-25 19:29 -------- d-----w- c:\program files\CCleaner

2009-11-25 16:15 . 2009-11-25 16:15 -------- d-----w- c:\windows\system32\wbem\Repository

2009-11-10 14:29 . 2009-11-10 14:29 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2009-11-10 14:29 . 2009-11-26 00:39 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2009-11-10 14:29 . 2009-11-26 00:39 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2009-11-10 14:29 . 2009-11-26 00:39 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2009-11-10 14:29 . 2009-11-26 00:39 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2009-11-10 14:29 . 2009-11-26 00:39 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2009-11-10 14:28 . 2009-11-26 00:39 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2009-11-10 14:28 . 2009-11-26 00:39 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2009-11-10 14:28 . 2009-11-26 00:39 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2009-11-10 14:28 . 2009-11-26 00:39 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2009-11-10 14:27 . 2009-11-10 14:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2009-11-10 14:27 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe

2009-11-10 14:26 . 2009-11-10 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-11-10 14:26 . 2009-11-10 14:26 -------- d-----w- c:\program files\Lavasoft

2009-11-10 14:22 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-10 14:22 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-10 14:22 . 2009-11-25 23:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-10 05:48 . 2009-11-10 05:48 -------- d-sh--w- c:\documents and settings\PG\IECompatCache

2009-11-10 05:21 . 2009-11-10 05:21 -------- d-----w- c:\program files\ESET

2009-11-10 01:14 . 2009-11-10 01:43 -------- d-----w- C:\$AVG

2009-11-10 01:13 . 2009-11-10 01:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2009-11-10 01:13 . 2009-11-16 02:31 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-11-10 01:13 . 2009-11-10 01:13 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-11-10 01:13 . 2009-11-10 01:13 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-11-10 01:13 . 2009-11-30 16:25 -------- d-----w- c:\windows\system32\drivers\Avg

2009-11-10 01:12 . 2009-11-26 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-11-10 00:58 . 2009-11-10 00:58 -------- d-----w- c:\program files\Trend Micro

2009-11-09 23:56 . 2009-12-01 02:05 -------- d-----w- c:\documents and settings\SL\Application Data\DMCache

2009-11-09 19:13 . 2009-11-09 19:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-09 17:26 . 2009-11-09 17:26 -------- d-----w- c:\documents and settings\SL\Application Data\Malwarebytes

2009-11-09 17:26 . 2009-11-09 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-09 16:56 . 2009-11-09 16:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-11-01 21:59 . 2009-11-01 21:59 -------- d-----w- c:\documents and settings\PG\Local Settings\Application Data\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-26 21:44 . 2009-02-27 17:04 -------- d-----w- c:\program files\MSECACHE

2009-11-26 00:39 . 2009-11-10 14:30 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2009-11-26 00:39 . 2009-11-10 14:30 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2009-11-26 00:39 . 2009-11-10 14:30 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2009-11-26 00:39 . 2009-11-10 14:30 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll

2009-11-26 00:39 . 2009-11-10 14:30 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2009-11-26 00:39 . 2009-11-10 14:30 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2009-11-26 00:39 . 2009-11-10 14:30 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll

2009-11-25 20:20 . 2009-02-19 06:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-11-25 20:11 . 2006-10-24 15:01 -------- d-----w- c:\program files\Google

2009-11-25 17:28 . 2006-12-01 18:26 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-11-10 14:30 . 2009-11-10 14:30 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-11-10 14:30 . 2009-11-10 14:30 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys

2009-11-10 14:30 . 2009-11-10 14:30 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll

2009-11-10 14:30 . 2009-11-10 14:30 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-11-10 14:30 . 2009-11-10 14:30 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll

2009-11-10 14:30 . 2009-11-10 14:30 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll

2009-11-10 14:30 . 2009-11-10 14:30 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll

2009-11-10 14:30 . 2009-11-10 14:30 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll

2009-11-10 06:20 . 2008-09-01 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-11-10 05:24 . 2008-09-01 22:48 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-09 23:44 . 2009-08-23 17:50 -------- d-----w- c:\program files\Spyware Doctor

2009-11-09 23:43 . 2009-11-09 23:43 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-11-09 23:43 . 2009-08-23 17:51 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-11-03 04:42 . 2009-10-04 03:59 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-30 00:59 . 2006-11-28 15:03 3119320 ----a-w- c:\documents and settings\SL\Application Data\IDM\idmupdt.exe

2009-10-30 00:59 . 2006-10-26 17:15 -------- d-----w- c:\documents and settings\SL\Application Data\IDM

2009-10-19 23:57 . 2006-12-01 18:26 -------- d-----w- c:\program files\DivX

2009-10-19 23:55 . 2009-10-15 20:37 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll

2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll

2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll

2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll

2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll

2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll

2009-09-24 16:07 . 2009-04-11 17:41 198064 ----a-w- c:\documents and settings\SL\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

2009-09-23 12:55 . 2009-11-10 14:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-09-11 14:18 . 2001-08-18 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-09 10:43 . 2009-10-15 06:09 210352 ----a-w- c:\windows\system32\idmmbc.dll

2009-09-04 21:03 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-10-15 3134896]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-10-06 866584]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-26 2020120]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\PG\Start Menu\Programs\Startup\

DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000003}\_SC_Acrobat.exe [2009-2-27 295606]

Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-11-10 01:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^SL^Start Menu^Programs^Startup^ikowin32.exe]

backup=c:\windows\pss\ikowin32.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/10/2009 6:30 AM 64288]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/23/2009 9:51 AM 206256]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/9/2009 5:13 PM 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/9/2009 5:13 PM 360584]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/26/2009 2:04 PM 285392]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]

S2 gupdate1ca4dd75f989ce8;Google Update Service (gupdate1ca4dd75f989ce8);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [10/5/2006 9:11 PM 13592]

S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [5/10/2009 1:35 PM 12672]

S3 M2400;IEEE 802.11b Wireless Network Driver;c:\windows\system32\drivers\M2400.sys [10/13/2003 2:22 PM 51328]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8.tmp --> c:\windows\system32\8.tmp [?]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/23/2009 9:50 AM 348752]

.

Contents of the 'Scheduled Tasks' folder

2009-12-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 00:39]

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{10C5C172-A73E-4E78-9BB7-A8B606E717FC}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Download All Links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE

AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI

AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe res://c:\windows\system32\TweakUI.exe/uninstall.hta

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-30 18:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\8.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):3d,b5,1c,f1,d7,7f,ab,d6,c3,c0,32,a1,20,d0,36,99,c0,f6,ba,c2,ac,

84,af,0a,ec,c6,e2,3f,e0,f6,36,d4,93,2c,b2,70,63,ff,60,59,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{858e1d13-756e-4696-b4bd-f1ba57801dc2}]

@Denied: (Full) (Everyone)

"Model"=dword:00000075

"Therad"=dword:00000020

"MData"=hex(0):e1,90,6a,8e,a1,94,0b,6b,95,20,3b,49,2f,e8,42,e8,54,81,42,8f,ec,

1b,ec,4b,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3020)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\nvsvc32.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\wscntfy.exe

c:\program files\Internet Download Manager\IEMonitor.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Completion time: 2009-11-30 18:14 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-01 02:14

Pre-Run: 39,248,592,896 bytes free

Post-Run: 40,115,982,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C9A48D0EEE93D9810AEEB16020EF1AE5

[kahdah]

Great the redirects should stop now.

=========================

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

• Click on the update tab then click on Check for updates.
  
• If an update is found, it will download and install the latest version.
  
• Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan unwanted applications.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[Confuzzed]

Fudge. I ran out of time at this location. I will be back this way in about a week and a half and I can continue to work on this. I ran Malwarebytes and it appears clean (seel log below), and ran Eset to about 75% complete without infection.

I will have to run both of these again when I am back this way.

I'll let you know. Thanks for your help so far, I belive we are close if not there already.

Malwarebytes' Anti-Malware 1.41

Database version: 3267

Windows 5.1.2600 Service Pack 3

12/1/2009 7:31:48 AM

mbam-log-2009-12-01 (07-31-48).txt

Scan type: Quick Scan

Objects scanned: 120558

Time elapsed: 7 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[kahdah]

ok post when you get back.

[Confuzzed]

I just ran the scans again.

Malwarebytes did not find anything, but eset did. See below.

Malwarebytes' Anti-Malware 1.42

Database version: 3345

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/11/2009 8:33:52 AM

mbam-log-2009-12-11 (08-33-52).txt

Scan type: Quick Scan

Objects scanned: 139120

Time elapsed: 15 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ESET

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a502bb5dfd41fe4ebb523be5b5a9c1d2

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-11 04:09:14

# local_time=2009-12-11 08:09:14 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 2647253 2647253 0 0

# compatibility_mode=1024 16777175 100 0 1188902 1188902 0 0

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 1796308 1796308 0 0

# scanned=73861

# found=1

# cleaned=1

# scan_time=2978

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.PY virus (deleted - quarantined) 00000000000000000000000000000000 C

[Confuzzed]

It also seems that I am unable to add or change the search engine.

Hmmm.....

[kahdah]

Referring to what browser?

[Confuzzed]

Changing the default search engine in IE8. The version is up in the Malwarebytes log if it makes any difference.

[kahdah]

Ok I thought you meant maybe Firefox as IE is installed on every Windows system.

Try this please:

Open up IE and go to Tools > Internet Options > Advanced.

Then click on the Reset button and choose yes to all of the prompts.

Restart Ie then see if you can then change the search engine.

[Confuzzed]

No joy. I ran into this webpage error and was unable load another search engine.

Webpage error details

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Timestamp: Sat, 12 Dec 2009 00:01:23 UTC

Message: Element not found.

Line: 167

Char: 1

Code: 0

URI: http://www.microsoft.com/windows/ie/search...m/runonce2.aspx

[kahdah]

Try to uninstall it back to Version 7 and then see if it works.

You can do this by going to add\remove programs and then uninstall IE8.

Reboot after it is complete then it will work.

[Confuzzed]

It does not appear I have IE7 installed on the machine. Stepping back would have me reinstalling a number of programs that depend on IE. That being said, what antivirus and antimalware programs should I keep active? Right now this computer is moving at a snails pace.

[kahdah]

Even if you roll it back to six it will not affect the programs it warns of that but trust me I have had to do it many times.

If all you have running is AVG and Windows defender I would say lose Windows Defender.

After removing Windows Defender and resetting IE back to 6 (you can reinstall 8 after we get Ie to work) let me know how it runs.

[Confuzzed]

Well then IE is on the way out to be reintalled later. What about he copies of CCLeaner, cwshredder, HiJack This, Malwarebytes Anti Malware, Spybot Search and Destroy, Spyware Doctor, Super Antispyware, Windows Malious Program Remover, AVG Antivirus, Ad-Aware, etc I have installed. I figure I should probably just keep the AVG Antivirus unless you have a better suggestion.

[kahdah]

I suggest getting rid of all but mbam and getting a better antivirus\antispyware.

There is a better free one it can be found here: Microsoft Security Essentials

The rest can go.

[Confuzzed]

Well, that seemed to work. Thanks.

After looking at mbam, unless I purchase the program it really does not add any protection does it (besides manually running scans from time to time).

[kahdah]

Correct.

What worked rolling back to 6?

Any other problems left?

[Confuzzed]

Hmmmm.... Are there any free malware programs I could run instead? Budgets are tight.

I rolled back to IE7, everything worked, then upgraded back to IE8. Got MS Essentials installed.

Cleaned up all the misc installations I could. Any reccomendations for a free registry cleaner - I am sure mine is full of crud.

Other than that, I am still trying it out. Things seem ok, but have not had much up time on this machine.

[kahdah]

Registry cleaners area no no they can in fact remove items to cause a registry corruption or an unbootable machine

No free antispyware that is good is free for real time.

Well go ahead and use the machine your logs are clean I will close this in 2 days.

[Confuzzed]

Is there any way to get the remenants of all these programs out?