Internet explorer redirected

[mopy]

Hi.
This all started 29/05 yesterday,I found a file called Recycler on my flash drive then i noticed that some links on web sites were being redirected to adds.
I have been through your guidelines.
And was unable to download Super antispyware as the link got redirected, The same was true for malware Bytes.
I did manage to download and install Hijack this but it would not open I did rename as you suggested.
All other tasks compleated ok.
Any help please .
Thanks Kevin.

[mopy]

Sorry should have added that i am running Windows XP Home with SP2.
Kevin.

[evilfantasy]

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:
* Important! The letters can appear in either upper case or lower case letters.

- UACd.sys <- Or anything beginning with UAC
- gaopdxserv.sys <- Or anything beginning with gaopd
- gxvxcserv.sys <- Or anything beginning with gxvx
- Seneka.sys <- Or anything beginning with Seneka
- clbdriver.sys <- Or anything beginning with clbdriver
- TDSSserv.sys <- Or anything beginning with TDSS
- ovfst.sys <- Or anything beginning with ovfst

* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now restart the computer.
* Let me know if you found them or not.

[mopy]

Thanks for your reply, None of the items found.
Kevin.

[evilfantasy]

Try the renamer download for Malwarbytes.

http://kixhelp.com/wr/files/mb/randmbam.exe

The randmbam.exe will try to create random names and shortcuts for Malwarebytes Anti Malware (MBAM) if you have it installed already.

If it installs then use this link to download the updates.

Download Malwarebytes' Anti-Malware Database - GT500.org

Just download it to the desktop and run the exe then run Malwarebytes.

[mopy]

This worked thanks I include the log.
However I still can not open Hijack this.
Thanks Kevin.

[attachment deleted by admin]

[evilfantasy]

Try this please.

Download DDS by sUBs and save it to your desktop. Alternate DDS download link

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[mopy]

Hi evilfantasy here are the DDS logs.

DDS (Ver_09-05-14.01) - NTFSx86 
Run by User at  5:55:23.95 on 31/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition  5.1.2600.2.1252.44.1033.18.1023.424 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tiscali.co.uk/
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = socks=
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [H/PC Connection Agent] "c:\progra~1\micros~2\wcescomm.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AgataSoft ShutDown Pro]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1243700850108&h=8c6392bc2c71dbd93536b72827a506ac/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-30 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-8 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-8 108552]
R1 FolderProtectDriver;FolderProtectDriver;c:\program files\spotmau wincare 2008\sub\fsdriver\FolderProtectDriver.sys [2008-7-27 15616]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-9 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-8 298776]
R2 FolderProtectService;FolderProtectService;c:\program files\spotmau wincare 2008\sub\fsdriver\FolderProtectService.exe [2008-7-27 10240]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S1 SASKUTIL;SASKUTIL;

S2 gupdate1c9a98e341b062a;Google Update Service (gupdate1c9a98e341b062a);c:\program files\google\update\GoogleUpdate.exe [2009-3-20 133104]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-8-7 9344]
S3 DrvSnSht;DrvSnSht;c:\program files\r-drive image\DrvSnSht.sys [2008-11-1 94608]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-4-4 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-4-4 3072]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-14 33176]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-4-26 40832]
S3 R-ImageDisk;R-ImageDisk;c:\program files\r-drive image\R-ImageDisk.sys [2008-11-1 126551]

=============== Created Last 30 ================

2009-05-30 21:51   <DIR>   --d-----   c:\program files\Trend Micro
2009-05-30 21:10   <DIR>   --d-----   c:\docume~1\user\applic~1\Malwarebytes
2009-05-30 21:07   40,160   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 21:07   19,096   a-------   c:\windows\system32\drivers\mbam.sys
2009-05-30 21:07   <DIR>   --d-----   c:\program files\Malwarebytes' Anti-Malware
2009-05-30 21:07   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-30 17:26   410,984   a-------   c:\windows\system32\deploytk.dll
2009-05-30 16:50   64,160   a-------   c:\windows\system32\drivers\Lbd.sys
2009-05-30 16:49   <DIR>   -cd-h---   c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-30 16:49   <DIR>   --d-----   c:\program files\Lavasoft
2009-05-30 16:41   698   a---h---   C:\aaw7boot.cmd
2009-05-30 15:20   <DIR>   --d-----   c:\program files\ww
2009-05-30 15:04   388,608   a-------   c:\windows\system32\CF11275.exe
2009-05-02 18:40   <DIR>   --d-----   c:\program files\Top Password
2009-05-02 17:12   3,247   a-------   c:\windows\system32\wbem\Outlook_01c9cb40bd8df574.mof

==================== Find3M  ====================

2009-05-26 18:57   249,856   --------   c:\windows\Setup1.exe
2009-05-26 18:57   73,216   a-------   c:\windows\ST6UNST.EXE
2009-04-30 11:19   11,952   a-------   c:\windows\system32\avgrsstx.dll
2009-04-30 11:19   325,896   a-------   c:\windows\system32\drivers\avgldx86.sys
2009-04-30 11:19   108,552   a-------   c:\windows\system32\drivers\avgtdix.sys
2009-03-19 14:03   1,907,712   a-------   c:\windows\system32\BootMan.exe
2009-03-06 15:44   283,648   a-------   c:\windows\system32\pdh.dll
2009-03-03 01:18   826,368   a-------   c:\windows\system32\wininet.dll
2008-10-26 11:50   10,998   a-------   c:\docume~1\user\applic~1\wklnhst.dat
2008-06-22 19:02   47,360   a-------   c:\docume~1\user\applic~1\pcouffin.sys
2008-02-07 17:51   31,224   a-------   c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH:  5:55:44.26 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 02/04/2007 11:53:11
System Uptime: 31/05/2009 05:49:06 (0 hours ago)

Motherboard: eveshamvale |  | 
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 2210/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 88 GiB total, 23.139 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is FIXED (NTFS) - 98 GiB total, 39.16 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP866: 01/03/2009 19:51:28 - System Checkpoint
RP867: 02/03/2009 19:59:27 - System Checkpoint
RP868: 03/03/2009 20:56:12 - System Checkpoint
RP869: 04/03/2009 21:17:47 - System Checkpoint
RP870: 06/03/2009 05:59:49 - System Checkpoint
RP871: 07/03/2009 07:02:52 - System Checkpoint
RP872: 07/03/2009 17:44:17 - Installed O&O Defrag Professional.
RP873: 08/03/2009 18:36:36 - System Checkpoint
RP874: 09/03/2009 19:23:20 - System Checkpoint
RP875: 10/03/2009 21:03:00 - Installed Google Earth Pro.
RP876: 10/03/2009 21:06:56 - Removed Google Earth Pro.
RP877: 11/03/2009 09:33:20 - Software Distribution Service 3.0
RP878: 12/03/2009 16:24:40 - System Checkpoint
RP879: 13/03/2009 17:55:55 - System Checkpoint
RP880: 14/03/2009 18:10:13 - System Checkpoint
RP881: 15/03/2009 21:30:12 - System Checkpoint
RP882: 17/03/2009 14:17:01 - System Checkpoint
RP883: 18/03/2009 14:19:07 - System Checkpoint
RP884: 19/03/2009 15:28:25 - System Checkpoint
RP885: 20/03/2009 06:56:11 - Software Distribution Service 3.0
RP886: 21/03/2009 07:48:10 - System Checkpoint
RP887: 22/03/2009 07:50:04 - System Checkpoint
RP888: 23/03/2009 14:49:09 - System Checkpoint
RP889: 24/03/2009 15:44:01 - System Checkpoint
RP890: 24/03/2009 21:07:09 - Restore Operation
RP891: 25/03/2009 21:46:52 - System Checkpoint
RP892: 27/03/2009 09:18:31 - System Checkpoint
RP893: 28/03/2009 06:36:34 - Software Distribution Service 3.0
RP894: 28/03/2009 20:54:37 - mop
RP895: 28/03/2009 20:56:54 - Installed Fix-It Utilities 9 Professional
RP896: 28/03/2009 21:40:23 - Removed Fix-It Utilities 9 Professional
RP897: 30/03/2009 06:04:20 - System Checkpoint
RP898: 31/03/2009 14:51:00 - System Checkpoint
RP899: 01/04/2009 16:38:09 - System Checkpoint
RP900: 02/04/2009 17:26:07 - System Checkpoint
RP901: 03/04/2009 18:01:24 - System Checkpoint
RP902: 03/04/2009 18:50:09 - Installed Norton Ghost.
RP903: 03/04/2009 19:45:20 - Removed Norton Ghost.
RP904: 03/04/2009 20:51:38 - mopy
RP905: 04/04/2009 21:38:06 - System Checkpoint
RP906: 06/04/2009 00:06:17 - System Checkpoint
RP907: 07/04/2009 06:02:05 - System Checkpoint
RP908: 08/04/2009 06:04:45 - System Checkpoint
RP909: 08/04/2009 19:49:54 - Installed AVG Free 8.5
RP910: 08/04/2009 20:13:57 - Avg8 Update
RP911: 09/04/2009 12:57:14 - Avg8 Update
RP912: 09/04/2009 17:39:35 - Configured AVG 8.5
RP913: 09/04/2009 17:42:55 - Configured AVG 8.5
RP914: 09/04/2009 17:46:20 - Avg8 Update
RP915: 10/04/2009 18:14:39 - System Checkpoint
RP916: 11/04/2009 18:53:36 - System Checkpoint
RP917: 12/04/2009 20:19:45 - System Checkpoint
RP918: 13/04/2009 20:21:24 - System Checkpoint
RP919: 15/04/2009 12:13:11 - System Checkpoint
RP920: 15/04/2009 22:02:15 - Software Distribution Service 3.0
RP921: 17/04/2009 06:04:35 - Software Distribution Service 3.0
RP922: 17/04/2009 16:54:20 - Removed O&O Defrag Professional.
RP923: 18/04/2009 17:27:53 - System Checkpoint
RP924: 19/04/2009 19:48:47 - System Checkpoint
RP925: 20/04/2009 20:37:59 - System Checkpoint
RP926: 22/04/2009 11:44:41 - System Checkpoint
RP927: 23/04/2009 11:45:06 - System Checkpoint
RP928: 24/04/2009 12:42:54 - System Checkpoint
RP929: 25/04/2009 13:00:46 - System Checkpoint
RP930: 26/04/2009 15:50:53 - System Checkpoint
RP931: 26/04/2009 17:40:23 - Removed Microsoft Office Professional Edition 2003
RP932: 26/04/2009 17:41:52 - Installed Microsoft Office Professional Edition 2003
RP933: 27/04/2009 06:59:31 - Software Distribution Service 3.0
RP934: 27/04/2009 21:48:15 - Software Distribution Service 3.0
RP935: 29/04/2009 12:11:54 - System Checkpoint
RP936: 29/04/2009 12:31:22 - Software Distribution Service 3.0
RP937: 30/04/2009 11:19:13 - Avg8 Update
RP938: 30/04/2009 11:20:12 - Avg8 Update
RP939: 01/05/2009 12:00:54 - System Checkpoint
RP940: 02/05/2009 18:26:48 - System Checkpoint
RP941: 02/05/2009 21:44:39 - Installed My Kitchen Stationery
RP942: 02/05/2009 21:47:45 - Installed Boomerang Stationery
RP943: 02/05/2009 21:49:36 - Installed Dark River Stationery
RP944: 02/05/2009 21:51:16 - Installed Microsoft Forest Floor Stationery
RP945: 02/05/2009 21:51:54 - Installed Baxter Stationery
RP946: 03/05/2009 06:33:52 - Installed Wallpaper Stationery
RP947: 04/05/2009 08:25:22 - System Checkpoint
RP948: 05/05/2009 12:55:45 - System Checkpoint
RP949: 06/05/2009 13:36:52 - System Checkpoint
RP950: 07/05/2009 13:55:05 - System Checkpoint
RP951: 08/05/2009 15:10:29 - System Checkpoint
RP952: 10/05/2009 17:07:37 - System Checkpoint
RP953: 11/05/2009 17:45:45 - System Checkpoint
RP954: 12/05/2009 18:21:08 - System Checkpoint
RP955: 13/05/2009 07:01:04 - Software Distribution Service 3.0
RP956: 13/05/2009 11:03:46 - Avg8 Update
RP957: 13/05/2009 11:04:29 - Avg8 Update
RP958: 14/05/2009 11:40:40 - System Checkpoint
RP959: 14/05/2009 18:36:20 - Removed Adobe Reader 8.1.4
RP960: 14/05/2009 18:36:52 - Installed Adobe Reader 9.1.
RP961: 16/05/2009 08:04:22 - System Checkpoint
RP962: 17/05/2009 09:06:08 - System Checkpoint
RP963: 18/05/2009 11:36:53 - System Checkpoint
RP964: 19/05/2009 11:27:22 - Avg8 Update
RP965: 19/05/2009 11:27:56 - Avg8 Update
RP966: 20/05/2009 11:47:58 - System Checkpoint
RP967: 21/05/2009 12:27:17 - System Checkpoint
RP968: 22/05/2009 12:30:06 - System Checkpoint
RP969: 23/05/2009 17:58:03 - System Checkpoint
RP970: 25/05/2009 07:51:28 - System Checkpoint
RP971: 26/05/2009 11:22:26 - System Checkpoint
RP972: 27/05/2009 12:00:14 - System Checkpoint
RP973: 28/05/2009 14:42:30 - System Checkpoint
RP974: 29/05/2009 16:01:35 - System Checkpoint

==== Installed Programs ======================

1 Click PC Fix v3.5
32 Bit HP CIO Components Installer
A1Click Ultra PC Cleaner 1.01 (Registered Version)
Acrobat.com
Ad-Aware
Adobe Acrobat 5.0
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.1.1
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced Diary v2.1
AgataSoft ShutDown Pro 2.9
AI RoboForm (All Users)
AIO_Scan
Andrex Puppy
Atomic Clock Sync
AV Bros. Page Curl Pro 2.2 (Remove Only)
AVG 8.5
BBC iPlayer Download Manager
Bejeweled Deluxe 1.86
BookWorm Deluxe 1.0
Boomerang Stationery
BufferChm
CacheStats
CCleaner (remove only)
ConvertXtoDVD 3.1.0.26
Copy
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
Driver Genius Professional Edition
DVD Shrink 3.2
DVD X Player 4.1 Professional
EASEUS Partition Master 3.5 Home Edition
eSupportQFolder
EVEREST Home Edition v1.10
Fantasy Moon 3D Screensaver 1.3
FontHit Font Tools
getPlus(R) for Adobe
Google Earth
Google Earth Plugin
Google Update Helper
Grid InQuest
GSAK 7.5.1.28 (Final)
Hotfix for Windows Internet Explorer 7 (KB947864)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP iPAQ Setup Assistant v1.0.4.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 3.5
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSSupply
ieSpell 2.0.1 (build 325)
ImageSkill Magic Enhancer Lite (remove only)
InfoClock Screensaver Christmas Edition 1.6.7
iPAQ Download Agent
iPAQ WebReg
Java(TM) 6 Update 13
Jigsaw Puzzle Platinum Edition
Mahjong Fortuna 2 Deluxe
MahJong Suite 2007 v4.1
MahJong Suite Graphics Pack Volume 1 - v1.7
MahJong Suite Graphics Pack Volume 2 - v2.7
Malwarebytes' Anti-Malware
MarketingReg
MarketResearch
Mastersoft Mobile Solutions iTRIS
Mastersoft Mobile Solutions JewelMine
Mastersoft Mobile Solutions Kakuro
Mastersoft Mobile Solutions PAQmanP
Mastersoft Mobile Solutions SuDokuV2
Memory-Map OS Edition Version 5
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft Application Error Reporting
Microsoft AutoRoute 2007
Microsoft Forest Floor Stationery
Microsoft IntelliPoint 5.5
Microsoft IntelliType Pro 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Moffsoft Calculator 2
MSXML 4.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
My Kitchen Stationery
Nero 6 Ultra Edition
Nero 8
neroxml
NVIDIA Drivers
NvMixer
Outlook Express Password Recovery 1.0
PDF Settings
Picasa 2
PIF DESIGNER
PS_AIO_ProductContext
PS_AIO_Software
PS_AIO_Software_min
Q-Sort 2004
QuickTime
R-Drive Image (remove only)
RealSpeak Solo for UK English Emily
Realtek AC'97 Audio
RegVac Registry Cleaner 5.01 (Registered Version)
RelevantKnowledge
ReNamer
rx5700 and rx5900 GPS Firmware Update
rx5700 and rx5900 TomTom Activation
SAGEM F@st 800-840
Santas Workshop Screensaver
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 8
Spotmau Wincare 2008
Status
Symantec Technical Support Web Controls
Tetris 5000
Toolbox
TrayApp
Tweak UI
UnloadSupport
Update for Windows XP (KB911164)
VCRedistSetup
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 8.0 CRT (x86) WinSXS MSM
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
WinZip 12.0
Word in Works Suite add-in
WorldMate 2006 Standard Edition
X-OOM DVD Player 4 Deluxe

==== Event Viewer Messages From Past Week ========

30/05/2009 21:48:28, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  atapi PCIIde SASKUTIL
30/05/2009 17:12:27, error: Service Control Manager [7023]  - The Application Management service terminated with the following error:  The specified module could not be found.
30/05/2009 16:53:07, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  SASKUTIL
30/05/2009 16:53:07, error: Service Control Manager [7022]  - The KService service hung on starting.
30/05/2009 16:51:46, error: Service Control Manager [7000]  - The General Purpose USB Driver (adildr.sys) service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
30/05/2009 15:45:46, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
30/05/2009 15:44:28, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
30/05/2009 15:43:51, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
30/05/2009 15:43:27, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SASKUTIL Tcpip
30/05/2009 15:43:27, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
30/05/2009 15:43:27, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
30/05/2009 15:43:27, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
30/05/2009 15:43:27, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBT service which failed to start because of the following error:  A device attached to the system is not functioning.
30/05/2009 15:43:27, error: Service Control Manager [7001]  - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
26/05/2009 18:58:50, information: Windows File Protection [64001]  - File replacement was attempted on the protected system file c:\windows\system32\scrrun.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.0.5010, the version of the system file is 5.6.0.8820.

==== End Of File ===========================

[evilfantasy]

Go to Add or Remove Programs and uninstall:

• RelevantKnowledge

.
----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

Driver::
epmntdrv

File::
c:\windows\system32\epmntdrv.sys
c:\windows\system32\CF11275.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa

• Unzip the file and open the JavaRa.exe
• Click Remove Older Versions
  
• JavaRa will search for and remove any outdated version of Java and remove any that are found.
• Click Additional Tasks
  
• Place a check next to Remove Useless JRE Files and click Go
  
• Exit JavaRa
  
• Delete the JavaRa files from the Desktop

.
Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

[mopy]

Hello again and thanks for your time.
RelevantKnowledge was not found on the list.
Created the note pad file and dropped it in Combofix as instructed, was asked to run ,OK.
But nothing happend.
No log was produced
Updated java and installed java re
Kevin

[evilfantasy]

Try the CFScript again please.

[mopy]

Ok i have tried again with the same result.
Kevin.

[evilfantasy]

OK just double click ComboFix and see if it will run.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[mopy]

Sorry combofix will not run, I have downloaded it again with same result.
Kevin.

[evilfantasy]

Download OTMoveIt3 by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
epmntdrv

:reg

:files
c:\windows\system32\epmntdrv.sys
c:\windows\system32\CF11275.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.