Why do I get "redirected" when doing searches?

[mcummings36]

Whenever I use Google or Bing, or really any site to search, when I get my search results and click on one, I ALWAYS, always, always get taken somewhere else. I get "redirect" in the address line, and if I click back, go to the same page and click on the same link, usually I get taken to where I want to go, but most recently, I am not even getting that, I'm getting the redirect again. What the heck is up, and how do I fix it?

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

***************************************************
Let's runs some scans and see what we can pick up.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
***********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

[mcummings36]

Here is the Malwarebytes log

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/16/2011 7:32:58 PM
mbam-log-2011-07-16 (19-32-58).txt

Scan type: Quick Scan
Objects scanned: 130332
Time elapsed: 12 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\pricegongie.pricegongctrl (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8b3372d0-09f0-41a5-8d9b-134e148672fb} (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1631550f-191d-4826-b069-d9439253d926} (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1631550f-191d-4826-b069-d9439253d926} (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1631550f-191d-4826-b069-d9439253d926} (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1631550f-191d-4826-b069-d9439253d926} (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d2a2595c-4fe4-4315-aa9b-19dbd6271b71} (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pricegongie.pricegongctrl.1 (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{835315fc-1bf6-4ca9-80cd-f6c158d40692} (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pricegong (Adware.PriceGong) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\PriceGongIE.DLL (Adware.PriceGong) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PriceGong (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Program Files\PriceGong\2.5.0 (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data (Adware.PriceGong) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\PriceGong\2.5.0\PriceGongIE.dll (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Program Files\PriceGong\uninst.exe (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\1.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\1707.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\2229.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\a.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\b.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\c.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\d.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\e.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\f.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\g.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\h.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\i.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\j.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\k.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\l.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\m.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\mru.xml (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\n.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\o.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\p.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\q.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\r.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\rmwhvozipt.tmp (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\s.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\t.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\u.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\v.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\w.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\wlu.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\x.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\y.txt (Adware.PriceGong) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christopher Apostle\Application Data\PriceGong\Data\z.txt (Adware.PriceGong) -> Quarantined and deleted successfully.

[SuperDave]

I would also like to see the two logs from DDS.

[mcummings36]

Sorry for the delay in getting the other logs to you, I tried to run Super AntiSpyware, and there apparently is an update I need, but every time I tried to get the update, my computer froze up and I had to literally unplug it to get it back up and running. I tried 3 times before I gave up. I just downloaded the DDS program and will run it when I'm done online this evening. Thanks!

[mcummings36]

The DDS program won't run on my computer, first my Norton software said it didn't recommend running it, but I selected the option to do it anyway, and nothing happened. I tried 2 more times, and nothing happens, my computer just sits there. Now what??

[mcummings36]

Here are the DDS logs, got it to work this time! :O)

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Christopher Apostle at 13:59:18 on 2011-08-05
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1534.780 [GMT -7:00]
.
AV: Best Malware Protection *Enabled/Updated* {00931B03-34E5-491D-88BB-E0CD08E59204}
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Best Malware Protection *Enabled*
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: FCToolbarURLSearchHook Class: {4219427b-0228-4356-a78b-eb7668d37d07} - c:\program files\inboxdollars\Helper.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: FCToolbarURLSearchHook Class: {3862f31b-b7b2-0854-cd54-ea4726c86127} - c:\program files\relief network lp4\Helper.dll
BHO: {01e80cff-e023-4b58-8170-7614b541a38d} - c:\windows\system32\atl32.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
BHO: InboxDollars BHO: {6ffb615d-e8ce-4add-8d9f-31c4be9c26e4} - c:\program files\inboxdollars\Toolbar.dll
BHO: Relief Network LP4: {8ac531c5-dbda-a484-b590-11acb177fe33} - c:\program files\relief network lp4\Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
TB: InboxDollars: {47980628-3844-42aa-a0dd-e2d86bba9600} - c:\program files\inboxdollars\Toolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 0 = msseces.exe
uPolicies-disallowrun: 1 = MSASCui.exe
uPolicies-disallowrun: 2 = ekrn.exe
uPolicies-disallowrun: 3 = egui.exe
uPolicies-disallowrun: 4 = avgnt.exe
uPolicies-disallowrun: 5 = avcenter.exe
uPolicies-disallowrun: 6 = avscan.exe
uPolicies-disallowrun: 7 = avgfrw.exe
uPolicies-disallowrun: 8 = avgui.exe
uPolicies-disallowrun: 9 = avgtray.exe
uPolicies-disallowrun: 10 = avgscanx.exe
uPolicies-disallowrun: 11 = avgcfgex.exe
uPolicies-disallowrun: 12 = avgemc.exe
uPolicies-disallowrun: 13 = avgchsvx.exe
uPolicies-disallowrun: 14 = avgcmgr.exe
uPolicies-disallowrun: 15 = avgwdsvc.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v46/shared/FunGamesLoader.cab
DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - hxxp://download.ebay.com/turbo_lister/US/install.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://toolbar.google.com/data/GoogleActivate.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553557800} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
TCP: Interfaces\{F500DACA-6E77-47CD-8C9C-533178948DB3} : DhcpNameServer = 68.87.69.150 68.87.85.102
Filter: text/html - {c090f857-486e-484b-be66-42c965d51d4c} -
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: OLT.exe - svchost.exe
Hosts: 173.236.107.249 www.google.com
Hosts: 173.236.107.249 www.google.com.au
Hosts: 173.236.107.249 www.google.be
Hosts: 173.236.107.249 www.google.com.br
Hosts: 173.236.107.249 www.google.ca
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2011-4-17 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2011-4-17 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110723.001\BHDrvx86.sys [2011-8-1 815736]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2011-4-17 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2011-4-17 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2011-4-17 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-1 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110729.030\IDSXpx86.sys [2011-8-1 355256]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110731.003\NAVENG.SYS [2011-8-1 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110731.003\NAVEX15.SYS [2011-8-1 1542392]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2004-7-1 95232]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
SUnknown Browser32;Browser32;

.
=============== Created Last 30 ================
.
2011-07-31 18:49:50   467968   ----a-w-   c:\windows\system32\atl32.dll
2011-07-19 00:54:24   --------   d--h--w-   c:\windows\system32\GroupPolicy
2011-07-16 09:16:24   --------   d-----w-   c:\documents and settings\christopher apostle\application data\W3i, LLC
2011-07-16 09:15:59   --------   d-----w-   c:\program files\DealRunner
2011-07-16 09:15:28   --------   d-sh--w-   c:\windows\system32\AI_RecycleBin
2011-07-16 09:14:45   --------   d-----w-   c:\documents and settings\christopher apostle\application data\FCTB000100377
2011-07-16 09:14:39   --------   d-----w-   c:\program files\W3i
2011-07-16 09:14:38   --------   d-----w-   c:\documents and settings\all users\application data\W3i
2011-07-16 09:11:35   --------   d-----w-   c:\program files\Relief Network LP4
2011-07-16 00:29:08   0   ---ha-w-   c:\documents and settings\christopher apostle\rmwhvozipt.tmp
.
==================== Find3M  ====================
.
2011-06-02 14:02:05   1858944   ----a-w-   c:\windows\system32\win32k.sys
2002-08-29 10:00:00   94784   -csh--w-   c:\windows\TWAIN.DLL
2008-04-14 00:12:07   50688   --sh--w-   c:\windows\twain_32.dll
2008-04-14 00:12:32   11776   --sh--w-   c:\windows\system32\regsvr32.exe
.
============= FINISH: 14:01:48.14 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/28/2003 9:35:05 AM
System Uptime: 8/3/2011 5:13:37 AM (57 hours ago)
.
Motherboard: Dell Computer Corp. |  | 0G1548
Processor:               Intel(R) Pentium(R) 4 CPU 2.20GHz | Microprocessor | 2193/400mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 14.621 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Instant Wireless-B PCI Adapter
Device ID: PCI\VEN_17FE&DEV_2120&SUBSYS_00201737&REV_00\4&3B1CAF2B&0&20F0
Manufacturer: Linksys
Name: Instant Wireless-B PCI Adapter
PNP Device ID: PCI\VEN_17FE&DEV_2120&SUBSYS_00201737&REV_00\4&3B1CAF2B&0&20F0
Service: IPN2120
.
==== System Restore Points ===================
.
RP2503: 6/16/2011 3:52:34 AM - Removed Bing Bar
RP2504: 6/17/2011 3:53:16 AM - System Checkpoint
RP2505: 6/18/2011 2:38:50 PM - System Checkpoint
RP2506: 6/19/2011 2:46:58 PM - System Checkpoint
RP2507: 6/20/2011 8:21:35 PM - System Checkpoint
RP2508: 6/21/2011 9:27:24 PM - System Checkpoint
RP2509: 6/22/2011 9:49:19 PM - System Checkpoint
RP2510: 6/24/2011 1:54:44 AM - System Checkpoint
RP2511: 6/25/2011 11:32:41 PM - System Checkpoint
RP2512: 6/27/2011 5:14:50 AM - System Checkpoint
RP2513: 6/28/2011 8:10:13 AM - System Checkpoint
RP2514: 6/28/2011 5:15:34 PM - Software Distribution Service 3.0
RP2515: 6/29/2011 5:33:01 PM - System Checkpoint
RP2516: 6/30/2011 6:26:24 PM - System Checkpoint
RP2517: 7/1/2011 10:21:16 PM - System Checkpoint
RP2518: 7/2/2011 11:19:36 PM - System Checkpoint
RP2519: 7/3/2011 11:27:53 PM - System Checkpoint
RP2520: 7/5/2011 5:35:32 PM - System Checkpoint
RP2521: 7/6/2011 5:57:44 PM - System Checkpoint
RP2522: 7/8/2011 6:11:41 AM - System Checkpoint
RP2523: 7/9/2011 7:11:22 AM - System Checkpoint
RP2524: 7/10/2011 10:50:51 AM - System Checkpoint
RP2525: 7/11/2011 10:55:34 AM - System Checkpoint
RP2526: 7/12/2011 12:00:51 PM - System Checkpoint
RP2527: 7/13/2011 12:56:40 PM - System Checkpoint
RP2528: 7/13/2011 9:48:56 PM - Software Distribution Service 3.0
RP2529: 7/14/2011 10:27:42 PM - System Checkpoint
RP2530: 7/16/2011 1:57:52 AM - System Checkpoint
RP2531: 7/16/2011 2:43:37 AM - Removed Boatload of Crosswords
RP2532: 7/16/2011 2:49:43 AM - Removed Music Oasis
RP2533: 7/17/2011 3:40:55 AM - System Checkpoint
RP2534: 7/18/2011 6:10:24 AM - System Checkpoint
RP2535: 7/19/2011 2:00:56 PM - System Checkpoint
RP2536: 7/20/2011 2:44:47 PM - System Checkpoint
RP2537: 7/21/2011 3:14:37 PM - System Checkpoint
RP2538: 7/22/2011 4:15:27 PM - System Checkpoint
RP2539: 7/23/2011 7:29:08 AM - Removed Desktop Doctor
RP2540: 7/24/2011 7:56:40 AM - System Checkpoint
RP2541: 7/25/2011 8:20:55 AM - System Checkpoint
RP2542: 7/26/2011 9:02:18 AM - System Checkpoint
RP2543: 7/27/2011 8:00:17 PM - System Checkpoint
RP2544: 7/28/2011 8:37:18 PM - System Checkpoint
RP2545: 7/29/2011 9:47:11 PM - System Checkpoint
RP2546: 7/31/2011 5:52:57 PM - System Checkpoint
RP2547: 8/1/2011 6:22:07 PM - System Checkpoint
RP2548: 8/2/2011 7:15:57 PM - System Checkpoint
RP2549: 8/3/2011 7:18:25 PM - System Checkpoint
RP2550: 8/4/2011 8:56:24 PM - System Checkpoint
.
==== Hosts File Hijack ======================
.
Hosts: 173.236.107.249 www.google.com
Hosts: 173.236.107.249 www.google.com.au
Hosts: 173.236.107.249 www.google.be
Hosts: 173.236.107.249 www.google.com.br
Hosts: 173.236.107.249 www.google.ca
Hosts: 173.236.107.249 www.google.ch
Hosts: 173.236.107.249 www.google.de
Hosts: 173.236.107.249 www.google.dk
Hosts: 173.236.107.249 www.google.fr
Hosts: 173.236.107.249 www.google.ie
Hosts: 173.236.107.249 www.google.it
Hosts: 173.236.107.249 www.google.co.jp
Hosts: 173.236.107.249 www.google.nl
Hosts: 173.236.107.249 www.google.no
Hosts: 173.236.107.249 www.google.co.nz
Hosts: 173.236.107.249 www.google.pl
Hosts: 173.236.107.249 www.google.se
Hosts: 173.236.107.249 www.google.co.uk
Hosts: 173.236.107.249 www.google.co.za
Hosts: 173.236.107.249 www.bing.com
Hosts: 173.236.107.249 search.yahoo.com
Hosts: 173.236.107.249 uk.search.yahoo.com
Hosts: 173.236.107.249 ca.search.yahoo.com
Hosts: 173.236.107.249 de.search.yahoo.com
Hosts: 173.236.107.249 fr.search.yahoo.com
Hosts: 173.236.107.249 au.search.yahoo.com
Hosts: 173.236.107.249 www.google-analytics.com
.
==== Installed Programs ======================
.
.
32 Bit HP CIO Components Installer
6000E609_BasicWeb
6000E609_Help_BasicWeb
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.4.5
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Banctec Service Agreement
BPDSoftware_Ini
CCleaner (remove only)
Comcast Desktop Software (v1.2.0.9)
Compatibility Pack for the 2007 Office system
ContentSAFER for Wizmax
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
DealRunner 1.25
Dell ResourceCD
Destinations
DeviceDiscovery
DeviceManagementQFolder
DocProc
Easy CD Creator 5 Basic
ESET Online Scanner v3
eSupportQFolder
GdiplusUpgrade
Help and Support Customization
HijackThis 2.0.2
Homestead SiteBuilder LPX
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Driver Diagnostics
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 12.0
HP Officejet 6000 E609 Series
HP Share-to-Web
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
InboxDollars
InstallIQ Updater
Intel(R) Extreme Graphics Driver
Invoices
Itibiti RTC
Java(TM) 6 Update 17
Malwarebytes' Anti-Malware
Managed DirectX (0900)
MarketResearch
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access 2003 Runtime
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Express 7.0
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MicroStaff WINASPI
Mirar
MSXML 4.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
Norton Security Suite
OGA Notifier 2.0.0048.0
Paint Shop Pro 7
PDF Settings
PokerStars.net
QuickTime
RAW FILE CONVERTER LE
RealPlayer
RealUpgrade 1.0
Relief Network LP4
Scan
ScannerCopy
Secure Game Player
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Smart Link 56K Voice Modem
SolutionCenter
Status
SUPERAntiSpyware Free Edition
Symantec Technical Support Web Controls
Toolbox
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 8.0 CRT (x86) WinSXS MSM
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
8/5/2011 1:59:24 PM, error: Service Control Manager [7016]  - The SmartLinkService service has reported an invalid current state 0.
8/3/2011 10:41:19 PM, error: Service Control Manager [7034]  - The Computer Browser  service terminated unexpectedly.  It has done this 1 time(s).
.
==== End Of File ===========================

[SuperDave]

I see you are running Poker Stars. Poker Stars has a history of distributing spyware in their products. However, security experts still question this program as good or bad. I recommend to remove it to prevent spyware, but it is up to you to decide if you want to keep it.

If you would like to uninstall it, do so as follows:

Press Start, and navigate to the Control Panel. When in the control panel enter Add or Remove programs. Search for and locate PokerStars, and either click Change/Remove or Remove.
***********************************************************
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\atl32.dll
 
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
*********************************************************
Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

:Files
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\docume~1\christ~1\locals~1\temp\nsf828.tmp\temp00
c:\documents and settings\christopher apostle\rmwhvozipt.tmp

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
**********************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[mcummings36]

Here is the Combo Fix log, but that pop up box about the Microsoft  recovery console never came up??


ComboFix 11-08-06.02 - Christopher Apostle 08/06/2011  18:41:55.5.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1534.911 [GMT -7:00]
Running from: c:\documents and settings\Christopher Apostle\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Christopher Apostle\Application Data\Best Malware Protection
c:\documents and settings\Christopher Apostle\Application Data\Best Malware Protection\Instructions.ini
c:\documents and settings\Christopher Apostle\Application Data\Microsoft\Internet Explorer\Quick Launch\Best Malware Protection.lnk
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{94ff6f28-65cc-41f1-bdfd-8ce7df32987e}
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{94ff6f28-65cc-41f1-bdfd-8ce7df32987e}\chrome.manifest
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{94ff6f28-65cc-41f1-bdfd-8ce7df32987e}\chrome\xulcache.jar
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{94ff6f28-65cc-41f1-bdfd-8ce7df32987e}\defaults\preferences\xulcache.js
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{94ff6f28-65cc-41f1-bdfd-8ce7df32987e}\install.rdf
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{d6779030-8a64-4bce-bb74-dd324cd88ed1}
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{d6779030-8a64-4bce-bb74-dd324cd88ed1}\chrome.manifest
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{d6779030-8a64-4bce-bb74-dd324cd88ed1}\chrome\xulcache.jar
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{d6779030-8a64-4bce-bb74-dd324cd88ed1}\defaults\preferences\xulcache.js
c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\extensions\{d6779030-8a64-4bce-bb74-dd324cd88ed1}\install.rdf
c:\documents and settings\Christopher Apostle\Recent\ANTIGEN.exe
c:\documents and settings\Christopher Apostle\Recent\cid.exe
c:\documents and settings\Christopher Apostle\Recent\CLSV.drv
c:\documents and settings\Christopher Apostle\Recent\CLSV.sys
c:\documents and settings\Christopher Apostle\Recent\DBOLE.tmp
c:\documents and settings\Christopher Apostle\Recent\ddv.exe
c:\documents and settings\Christopher Apostle\Recent\ddv.sys
c:\documents and settings\Christopher Apostle\Recent\eb.dll
c:\documents and settings\Christopher Apostle\Recent\eb.drv
c:\documents and settings\Christopher Apostle\Recent\energy.dll
c:\documents and settings\Christopher Apostle\Recent\exec.drv
c:\documents and settings\Christopher Apostle\Recent\exec.exe
c:\documents and settings\Christopher Apostle\Recent\exec.sys
c:\documents and settings\Christopher Apostle\Recent\fan.tmp
c:\documents and settings\Christopher Apostle\Recent\fix.sys
c:\documents and settings\Christopher Apostle\Recent\FS.tmp
c:\documents and settings\Christopher Apostle\Recent\hymt.sys
c:\documents and settings\Christopher Apostle\Recent\kernel32.dll
c:\documents and settings\Christopher Apostle\Recent\kernel32.tmp
c:\documents and settings\Christopher Apostle\Recent\PE.exe
c:\documents and settings\Christopher Apostle\Recent\PE.sys
c:\documents and settings\Christopher Apostle\Recent\PE.tmp
c:\documents and settings\Christopher Apostle\Recent\ppal.drv
c:\documents and settings\Christopher Apostle\Recent\runddlkey.exe
c:\documents and settings\Christopher Apostle\Recent\sld.tmp
c:\documents and settings\Christopher Apostle\Recent\tjd.dll
c:\documents and settings\Christopher Apostle\Recent\tjd.tmp
c:\documents and settings\Christopher Apostle\rmwhvozipt.tmp
c:\documents and settings\Christopher Apostle\Start Menu\Best Malware Protection.lnk
c:\documents and settings\Christopher Apostle\Start Menu\Programs\Best Malware Protection.lnk
c:\documents and settings\Christopher Apostle\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\program files\Shared
c:\program files\Shared\shared.sig
.
Infected copy of c:\windows\system32\drivers\WudfPf.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((   Files Created from 2011-07-07 to 2011-08-07  )))))))))))))))))))))))))))))))
.
.
2011-07-31 18:49 . 2011-07-31 18:49   467968   ----a-w-   c:\windows\system32\atl32.dll
2011-07-19 00:54 . 2011-07-19 00:54   --------   d--h--w-   c:\windows\system32\GroupPolicy
2011-07-16 09:16 . 2011-07-16 09:16   --------   d-----w-   c:\documents and settings\Christopher Apostle\Application Data\W3i, LLC
2011-07-16 09:15 . 2011-07-16 09:16   --------   d-----w-   c:\program files\DealRunner
2011-07-16 09:15 . 2011-07-16 09:15   --------   d-sh--w-   c:\windows\system32\AI_RecycleBin
2011-07-16 09:14 . 2011-07-16 09:14   --------   d-----w-   c:\documents and settings\Christopher Apostle\Application Data\FCTB000100377
2011-07-16 09:14 . 2011-07-16 09:14   --------   d-----w-   c:\program files\W3i
2011-07-16 09:14 . 2011-07-16 09:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\W3i
2011-07-16 09:11 . 2011-07-16 09:14   --------   d-----w-   c:\program files\Relief Network LP4
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2002-08-29 10:00   1858944   ----a-w-   c:\windows\system32\win32k.sys
2002-08-29 10:00   94784   -csh--w-   c:\windows\TWAIN.DLL
2008-04-14 00:12   50688   --sh--w-   c:\windows\twain_32.dll
2008-04-14 00:12   11776   --sh--w-   c:\windows\SYSTEM32\regsvr32.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4219427b-0228-4356-a78b-eb7668d37d07}"= "c:\program files\InboxDollars\Helper.dll" [2011-05-29 357376]
"{3862f31b-b7b2-0854-cd54-ea4726c86127}"= "c:\program files\Relief Network LP4\Helper.dll" [2011-07-16 357376]
.
[HKEY_CLASSES_ROOT\clsid\{4219427b-0228-4356-a78b-eb7668d37d07}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{8EF4D7EF-810E-4629-A9C9-F92FD201FE1A}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_CLASSES_ROOT\clsid\{3862f31b-b7b2-0854-cd54-ea4726c86127}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{59E2F26C-63D0-57B4-05FD-3E7901C9A2CC}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01E80CFF-E023-4B58-8170-7614B541A38d}]
2011-07-31 18:49   467968   ----a-w-   c:\windows\SYSTEM32\atl32.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FFB615D-E8CE-4ADD-8D9F-31C4BE9C26E4}]
2011-05-29 19:20   1544192   ----a-w-   c:\program files\InboxDollars\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AC531C5-DBDA-A484-B590-11ACB177FE33}]
2011-07-16 09:14   1534976   ----a-w-   c:\program files\Relief Network LP4\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{47980628-3844-42AA-A0DD-E2D86BBA9600}"= "c:\program files\InboxDollars\Toolbar.dll" [2011-05-29 1544192]
.
[HKEY_CLASSES_ROOT\clsid\{47980628-3844-42aa-a0dd-e2d86bba9600}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{5DB5671F-D35B-419E-A124-0653A57FBCA1}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{47980628-3844-42AA-A0DD-E2D86BBA9600}"= "c:\program files\InboxDollars\Toolbar.dll" [2011-05-29 1544192]
.
[HKEY_CLASSES_ROOT\clsid\{47980628-3844-42aa-a0dd-e2d86bba9600}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{5DB5671F-D35B-419E-A124-0653A57FBCA1}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-06-22 2408448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-20 98304]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-11 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-13 04:45   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2005-03-08 04:42   176128   ----a-w-   c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb12.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-08-20 03:31   98304   ----a-w-   c:\program files\QuickTime\qttask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\InboxDollars\\TroubleShooter.exe"=
"c:\\Program Files\\InboxDollars\\ToolbarUpdate.exe"=
"c:\\Program Files\\Relief Network LP4\\TroubleShooter.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\symds.sys [4/17/2011 8:43 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\symefa.sys [4/17/2011 8:43 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110723.001\BHDrvx86.sys [8/1/2011 5:30 AM 815736]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\cchpx86.sys [4/17/2011 8:43 AM 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/17/2008 3:11 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 3:11 PM 55024]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\ironx86.sys [4/17/2011 8:43 AM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [4/17/2011 8:43 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/1/2011 5:29 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110729.030\IDSXpx86.sys [8/1/2011 5:30 AM 355256]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\SYSTEM32\DRIVERS\LSIPNDS.sys [7/1/2004 7:29 PM 95232]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 3:11 PM 7408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
HPService   REG_MULTI_SZ      HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1326281953-3321796711-1604036775-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-08-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1326281953-3321796711-1604036775-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-08-06 c:\windows\Tasks\User_Feed_Synchronization-{D945552B-00B7-4A55-ABFC-0C9C9DB7E1EB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=
uInternet Settings,ProxyOverride = <local>
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Itibiti.exe - c:\program files\Itibiti Soft Phone\Itibiti.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-06 18:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1326281953-3321796711-1604036775-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-08-06  19:00:36
ComboFix-quarantined-files.txt  2011-08-07 02:00
ComboFix2.txt  2010-07-05 05:12
ComboFix3.txt  2010-01-26 17:05
.
Pre-Run: 16,320,950,272 bytes free
Post-Run: 16,399,577,088 bytes free
.
- - End Of File - - 5CEA11007B406CA7B0B7B66E58715499

[SuperDave]

but that pop up box about the Microsoft  recovery console never came up??

You probably have the RC already installed.

Did you do the Jotti's Malware scan. I need to see the results of that scan. This could be a malicious file.

Please update and run the MBAM scan again and post the log.

[mcummings36]

The jotti program won't work, when I click on the link, I get Internet Explorer cannot display...." and I still can't update Malwarebytes.  I ran a scan without updates, here is the log:
Also, I most of the time now when I click on a link like on Facebook or something, nothing happens. I have to right click and select open.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/10/2011 12:57:02 PM
mbam-log-2011-08-10 (12-57-02).txt

Scan type: Quick Scan
Objects scanned: 129312
Time elapsed: 11 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SuperDave]

Please try this one.

Code: [Select]

c:\windows\system32\atl32.dll
You can also run it through the Comodo Instant Malware Analysis (CIMA) to get an idea what it's going to do. http://camas.comodo.com/

[mcummings36]

The Comodo program is asking me which file I think is infected, I have no idea. Do I use "Run" for the
c:\windows\system32\atl32.dll?

Can you tell me what to do about not being able to open files when I click on them? One of the things I do daily is surveys through a few dedicated sites, one being Inbox Dollars, and because when I click on links they aren't opening, I can't access any of the surveys. This is income for me, so it's kind of important. Thanks!

[SuperDave]

The Comodo program is asking me which file I think is infected, I have no idea. Do I use "Run" for the
c:\windows\system32\atl32.dll?

That's the one I want scanned. You can copy and paste the file name in there or use the browse method

Can you tell me what to do about not being able to open files when I click on them? One of the things I do daily is surveys through a few dedicated sites, one being Inbox Dollars, and because when I click on links they aren't opening, I can't access any of the surveys.

It's links that won't open, not files. Correct? That's why I want to run more scans starting with the file above.

[mcummings36]

I can't copy/paste anything into that Comodo, I can't type anything in either, what's the deal with that??? And yes, it's links that I can't open. Some of them if I right click and select open, they will, but a lot of them won't.