Google links redirect me to sites

Dell / Dimension c521
April 17, 2009 at 09:14:24
Specs: Microsoft Windows XP Professional, 2.004 GHz / 1470 MB
Hello. I have a problem that I am sure many of you heard of. My Google links keep getting redirected to sites such as shopica and others. This has been going on for about a month now. I

have tried searching for solutions, have run scans in the past but no go. I have only found a few instances where people have seemed to solve this problem altogether.

I hope that you are able to help me. Thank you for volunteering your time and work. What do you need from me to start?


See More: Google links redirect me to sites

Report •


#1
April 17, 2009 at 14:04:18
The longer the baddies remain on your computer the harder they are to remove and the more damage that cause.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.



Report •

#2
April 17, 2009 at 14:43:22
Thank you sire for the reply! I already have malware bytes would you like me to download it again do everything you say or so I just run it now? Thanks for the help!

Report •

#3
April 17, 2009 at 14:57:12
Update Malwarebytes, run the quick scan and post the Malwarebytes log and the Hijack This log. If Malwarebytes will not run then go to control panel> add/remove programs and uninstall it> then install it per the instructions in response #1.

I will be gone on a house call for a few hours but will look at your post when I return.


Report •

Related Solutions

#4
April 18, 2009 at 10:06:47
Thank you for your assistence!

Here are the two logs.

MBAM:

Malwarebytes' Anti-Malware 1.36
Database version: 1992
Windows 5.1.2600 Service Pack 3

4/18/2009 12:00:32 PM
mbam-log-2009-04-18 (12-00-32).txt

Scan type: Quick Scan
Objects scanned: 81541
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:59 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Christopher\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explo


Report •

#5
April 18, 2009 at 11:19:09
continued.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Christopher\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofi...
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupd...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupd...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://calinks.spaces.live.com/Phot...
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpc...
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/...
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupd...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9973 bytes


Report •

#6
April 18, 2009 at 12:41:48
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Avira antivirus, Ad-Aware, Spybot and any other antispyware that you may have. Combofix cannot remove the bad files with these programs running.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.


Report •

#7
April 18, 2009 at 14:11:20
omboFix 09-04-19.01 - Christopher 04/18/2009 15:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.720 [GMT -5:00]
Running from: c:\documents and settings\Christopher\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\imomihib.ini

.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-15 08:04 . 2009-04-15 08:15 1374 ----a-w c:\windows\imsins.BAK
2009-04-15 03:05 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:05 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 03:05 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:05 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:05 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:05 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 03:05 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:05 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:05 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:05 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:04 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 03:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 03:04 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 22:32 . 2009-04-10 22:36 -------- d-----w C:\fixwareout
2009-04-01 05:22 . 2009-04-01 05:22 -------- d-----w c:\program files\GameTap Web Player
2009-04-01 05:02 . 2009-04-01 05:22 -------- d-----w c:\documents and settings\All Users\Application Data\GameTap Web Player
2009-03-30 08:36 . 2009-03-30 08:43 -------- d-----w C:\Lop SD
2009-03-25 21:48 . 2009-04-18 20:32 -------- d-----w c:\documents and settings\Christopher\Tracing
2009-03-25 21:46 . 2009-03-25 21:46 -------- d-----w c:\program files\Microsoft
2009-03-25 21:46 . 2009-03-25 21:46 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-25 21:43 . 2009-03-25 21:43 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-22 17:33 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-21 23:30 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-21 23:30 . 2009-03-21 23:30 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 20:30 . 2009-03-22 17:35 2684 ----a-w C:\aaw7boot.log
2009-04-18 20:14 . 2007-09-18 19:50 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-17 20:05 . 2006-11-03 21:10 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 09:01 . 2009-03-03 19:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 08:11 . 2008-02-01 00:31 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-12 08:25 . 2007-03-05 07:38 -------- d--h--w c:\documents and settings\Christopher\Application Data\Move Networks
2009-04-06 20:32 . 2009-03-03 19:22 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-03 19:22 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 05:22 . 2008-08-30 21:56 -------- d-----w c:\program files\GameTap
2009-03-30 08:43 . 2009-03-30 08:36 22908 ----a-w C:\lopR.txt
2009-03-30 05:58 . 2009-03-04 06:43 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-29 02:33 . 2006-11-04 04:55 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-29 02:33 . 2006-11-04 04:55 232 ---ha-w C:\sqmdata02.sqm
2009-03-25 21:45 . 2008-02-24 18:49 -------- d-----w c:\program files\Windows Live
2009-03-21 23:29 . 2008-07-11 02:50 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-17 15:05 . 2006-11-02 01:33 -------- d-----w c:\program files\Microsoft Works
2009-03-16 20:33 . 2006-11-09 03:10 244 ---ha-w C:\sqmnoopt12.sqm
2009-03-16 20:33 . 2006-11-09 03:10 232 ---ha-w C:\sqmdata12.sqm
2009-03-16 03:49 . 2006-11-09 00:57 244 ---ha-w C:\sqmnoopt11.sqm
2009-03-16 03:49 . 2006-11-09 00:57 232 ---ha-w C:\sqmdata11.sqm
2009-03-16 02:15 . 2006-11-08 22:28 244 ---ha-w C:\sqmnoopt10.sqm
2009-03-16 02:15 . 2006-11-08 22:28 232 ---ha-w C:\sqmdata10.sqm
2009-03-16 01:27 . 2006-11-08 19:13 244 ---ha-w C:\sqmnoopt09.sqm
2009-03-16 01:27 . 2006-11-08 19:13 232 ---ha-w C:\sqmdata09.sqm
2009-03-15 02:22 . 2006-11-08 18:09 244 ---ha-w C:\sqmnoopt08.sqm
2009-03-15 02:22 . 2006-11-08 18:09 232 ---ha-w C:\sqmdata08.sqm
2009-03-14 17:50 . 2007-10-06 07:18 -------- d-----w c:\program files\DivX
2009-03-14 17:49 . 2009-03-14 17:49 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-14 17:15 . 2006-11-02 01:23 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-14 17:15 . 2006-11-02 01:30 -------- d-----w c:\program files\Roxio
2009-03-14 16:53 . 2007-10-15 21:38 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-14 16:52 . 2007-09-16 00:28 -------- d-----w c:\program files\MagicISO
2009-03-14 16:51 . 2007-05-06 00:48 -------- d-----w c:\program files\SopCast
2009-03-14 16:42 . 2006-11-08 03:30 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-14 16:42 . 2006-11-08 03:30 232 ---ha-w C:\sqmdata07.sqm
2009-03-14 04:25 . 2006-11-08 00:44 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-14 04:25 . 2006-11-08 00:44 232 ---ha-w C:\sqmdata06.sqm
2009-03-13 21:56 . 2006-11-06 03:28 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-13 21:56 . 2006-11-06 03:28 232 ---ha-w C:\sqmdata05.sqm
2009-03-13 06:17 . 2006-11-05 20:58 232 ---ha-w C:\sqmdata04.sqm
2009-03-13 06:17 . 2006-11-05 20:58 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-13 02:50 . 2006-11-05 00:27 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-13 02:50 . 2006-11-05 00:27 232 ---ha-w C:\sqmdata03.sqm
2009-03-11 04:02 . 2009-03-11 04:02 -------- d-----w c:\program files\Bonjour
2009-03-11 04:02 . 2007-07-17 03:48 -------- d-----w c:\program files\QuickTime
2009-03-07 10:51 . 2009-03-07 10:51 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-07 04:04 . 2009-03-07 04:04 -------- d-----w c:\documents and settings\Christopher\Application Data\KC Softwares
2009-03-07 04:02 . 2009-03-07 04:02 -------- d-----w c:\program files\KC Softwares
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 18:00 . 2009-03-05 18:00 -------- d-----w c:\program files\Avira
2009-03-05 18:00 . 2009-03-05 18:00 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-03-05 17:31 . 2009-03-05 17:31 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-04 19:36 . 2009-03-04 19:36 -------- d-----w c:\program files\Trend Micro
2009-03-04 19:31 . 2008-11-13 00:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-04 19:31 . 2006-11-02 01:20 -------- d-----w c:\program files\Java
2009-03-04 07:39 . 2006-11-06 18:15 93483 ----a-w C:\log.html
2009-03-04 06:43 . 2009-03-04 06:43 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-04 06:43 . 2009-03-04 06:43 -------- d-----w c:\documents and settings\Christopher\Application Data\SUPERAntiSpyware.com
2009-03-04 04:53 . 2009-03-04 04:53 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-03 19:22 . 2009-03-03 19:22 -------- d-----w c:\documents and settings\Christopher\Application Data\Malwarebytes
2009-03-03 19:22 . 2009-03-03 19:22 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 18:02 . 2007-02-16 19:15 -------- d-----w c:\program files\CCleaner
2009-03-03 07:33 . 2007-09-18 19:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-03 00:18 . 2006-11-02 01:21 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 19:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-26 09:18 . 2008-08-10 17:47 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 04:18 . 2006-11-04 01:37 232 ---ha-w C:\sqmdata01.sqm
2009-02-26 04:18 . 2006-11-04 01:37 244 ---ha-w C:\sqmnoopt01.sqm
2009-02-20 10:20 . 2007-05-09 12:47 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-10-27 08:44 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-10-27 08:42 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-16 01:10 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 20:01 . 2006-11-03 23:31 244 ---ha-w C:\sqmnoopt00.sqm
2009-02-08 20:01 . 2006-11-03 23:31 232 ---ha-w C:\sqmdata00.sqm
2009-02-08 00:02 . 2008-10-16 01:10 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2004-08-04 04:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 03:45 . 2006-11-12 17:05 244 ---ha-w C:\sqmnoopt19.sqm
2009-02-07 03:45 . 2006-11-12 17:05 232 ---ha-w C:\sqmdata19.sqm
2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-16 01:10 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2005-08-16 10:18 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-16 01:10 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-16 01:10 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 07:11 . 2006-11-12 06:37 244 ---ha-w C:\sqmnoopt18.sqm
2009-02-06 07:11 . 2006-11-12 06:37 232 ---ha-w C:\sqmdata18.sqm
2009-02-06 04:13 . 2006-11-12 01:18 232 ---ha-w C:\sqmdata17.sqm
2009-02-06 04:13 . 2006-11-12 01:18 244 ---ha-w C:\sqmnoopt17.sqm
2009-02-05 07:00 . 2006-11-10 20:16 244 ---ha-w C:\sqmnoopt16.sqm
2009-02-05 07:00 . 2006-11-10 20:16 232 ---ha-w C:\sqmdata16.sqm
2009-02-04 21:24 . 2006-11-10 19:11 244 ---ha-w C:\sqmnoopt15.sqm
2009-02-04 21:24 . 2006-11-10 19:11 232 ---ha-w C:\sqmdata15.sqm
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-05-24 05:10 . 2006-11-05 00:18 2516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"Google Update"="c:\documents and settings\Christopher\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

c:\documents and settings\Christopher\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-1 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-30 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2008-09-17 2560]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-03 19:41]

2009-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2489958550-2442091893-1468482008-1006.job
- c:\documents and settings\Christopher\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 08:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gamefaqs.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\p7ndh9bw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\p7ndh9bw.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\p7ndh9bw.default\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\p7ndh9bw.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Christopher\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\CAE36273CE2083AC10451E2C33E7B63B]
"1"=hex:7e,63,ed,e4,ff,c6,da,b0,3c,b3,ff,e0,03,2b,bc,b2,7f,b3,d1,39,03,20,a9,
47,94,35,3b,94,b4,9c,b2,85
"2"=hex:82,9d,b7,04,75,a2,e0,2a
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,cd,df,f6,b8,74,18,fa,
dd,30,dc,88,59,2a,92,45,f1,bd,1f,b7,30,80,7d,13,f4
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-04-18 15:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 20:44
ComboFix2.txt 2009-03-27 19:46
ComboFix3.txt 2009-03-07 03:21

Pre-Run: 6,753,918,976 bytes free
Post-Run: 6,861,676,544 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
333 --- E O F --- 2009-04-15 08:15


And the Goored thing:

GooredFix v1.92 by jpshortstuff
Log created at 16:10 on 18/04/2009 running Option #1 (Christopher)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{D103F826-6226-45FD-BB86-58ED9B3C5619}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}"


Report •

#8
April 18, 2009 at 15:01:43

Before you run the Kaspersky (this takes a about 3 to 4hrs.) at the bottom of this post but after you have completed the other suggestions let me know if you are still being redirected..

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\sqmnoopt02.sqm
C:\sqmdata02.sqm
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
C:\sqmnoopt06.sqm
C:\sqmdata06.sqm
C:\sqmnoopt05.sqm
C:\sqmdata05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt03.sqm
C:\sqmdata03.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt00.sqm
C:\sqmdata00.sqm
C:\sqmnoopt19.sqm
C:\sqmdata19.sqm
C:\sqmnoopt18.sqm
C:\sqmdata18.sqm
C:\sqmdata17.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt16.sqm
C:\sqmdata16.sqm
C:\sqmnoopt15.sqm
C:\sqmdata15.sqm

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#9
April 18, 2009 at 15:56:18
Thanks again for the help. Here are the logs I have so far.

Goored:

GooredFix v1.92 by jpshortstuff
Log created at 17:18 on 18/04/2009 running Option #2 (Christopher)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{D103F826-6226-45FD-BB86-58ED9B3C5619}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}"
.
.
.
.
COMBOFIX LOG:
ComboFix 09-04-19.01 - Christopher 04/18/2009 17:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.870 [GMT -5:00]
Running from: c:\documents and settings\Christopher\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christopher\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm

.
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-15 08:04 . 2009-04-15 08:15 1374 ----a-w c:\windows\imsins.BAK
2009-04-15 03:05 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:05 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 03:05 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:05 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:05 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:05 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 03:05 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:05 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:05 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:05 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:04 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 03:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 03:04 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 22:32 . 2009-04-10 22:36 -------- d-----w C:\fixwareout
2009-04-01 05:22 . 2009-04-01 05:22 -------- d-----w c:\program files\GameTap Web Player
2009-04-01 05:02 . 2009-04-01 05:22 -------- d-----w c:\documents and settings\All Users\Application Data\GameTap Web Player
2009-03-30 08:36 . 2009-03-30 08:43 -------- d-----w C:\Lop SD
2009-03-25 21:48 . 2009-04-18 22:28 -------- d-----w c:\documents and settings\Christopher\Tracing
2009-03-25 21:46 . 2009-03-25 21:46 -------- d-----w c:\program files\Microsoft
2009-03-25 21:46 . 2009-03-25 21:46 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-25 21:43 . 2009-03-25 21:43 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-22 17:33 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-21 23:30 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-21 23:30 . 2009-03-21 23:30 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 22:28 . 2009-03-22 17:35 2908 ----a-w C:\aaw7boot.log
2009-04-18 21:06 . 2006-11-03 21:10 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-18 20:14 . 2007-09-18 19:50 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-17 09:01 . 2009-03-03 19:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 08:11 . 2008-02-01 00:31 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-12 08:25 . 2007-03-05 07:38 -------- d--h--w c:\documents and settings\Christopher\Application Data\Move Networks
2009-04-06 20:32 . 2009-03-03 19:22 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-03 19:22 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 05:22 . 2008-08-30 21:56 -------- d-----w c:\program files\GameTap
2009-03-30 08:43 . 2009-03-30 08:36 22908 ----a-w C:\lopR.txt
2009-03-30 05:58 . 2009-03-04 06:43 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-25 21:45 . 2008-02-24 18:49 -------- d-----w c:\program files\Windows Live
2009-03-21 23:29 . 2008-07-11 02:50 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-17 15:05 . 2006-11-02 01:33 -------- d-----w c:\program files\Microsoft Works
2009-03-14 17:50 . 2007-10-06 07:18 -------- d-----w c:\program files\DivX
2009-03-14 17:49 . 2009-03-14 17:49 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-14 17:15 . 2006-11-02 01:23 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-14 17:15 . 2006-11-02 01:30 -------- d-----w c:\program files\Roxio
2009-03-14 16:53 . 2007-10-15 21:38 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-14 16:52 . 2007-09-16 00:28 -------- d-----w c:\program files\MagicISO
2009-03-14 16:51 . 2007-05-06 00:48 -------- d-----w c:\program files\SopCast
2009-03-11 04:02 . 2009-03-11 04:02 -------- d-----w c:\program files\Bonjour
2009-03-11 04:02 . 2007-07-17 03:48 -------- d-----w c:\program files\QuickTime
2009-03-07 10:51 . 2009-03-07 10:51 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-07 04:04 . 2009-03-07 04:04 -------- d-----w c:\documents and settings\Christopher\Application Data\KC Softwares
2009-03-07 04:02 . 2009-03-07 04:02 -------- d-----w c:\program files\KC Softwares
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 18:00 . 2009-03-05 18:00 -------- d-----w c:\program files\Avira
2009-03-05 18:00 . 2009-03-05 18:00 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-03-05 17:31 . 2009-03-05 17:31 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-04 19:36 . 2009-03-04 19:36 -------- d-----w c:\program files\Trend Micro
2009-03-04 19:31 . 2008-11-13 00:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-04 19:31 . 2006-11-02 01:20 -------- d-----w c:\program files\Java
2009-03-04 07:39 . 2006-11-06 18:15 93483 ----a-w C:\log.html
2009-03-04 06:43 . 2009-03-04 06:43 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-04 06:43 . 2009-03-04 06:43 -------- d-----w c:\documents and settings\Christopher\Application Data\SUPERAntiSpyware.com
2009-03-04 04:53 . 2009-03-04 04:53 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-03 19:22 . 2009-03-03 19:22 -------- d-----w c:\documents and settings\Christopher\Application Data\Malwarebytes
2009-03-03 19:22 . 2009-03-03 19:22 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 18:02 . 2007-02-16 19:15 -------- d-----w c:\program files\CCleaner
2009-03-03 07:33 . 2007-09-18 19:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-03 00:18 . 2006-11-02 01:21 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2006-10-17 19:04 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-26 09:18 . 2008-08-10 17:47 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-20 10:20 . 2007-05-09 12:47 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-10-27 08:44 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-10-27 08:42 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-16 01:10 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2008-10-16 01:10 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2004-08-04 04:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-16 01:10 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2005-08-16 10:18 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-16 01:10 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-10-16 01:10 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2005-08-16 10:18 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 00:50 . 2006-11-10 01:04 244 ---ha-w C:\sqmnoopt14.sqm
2009-02-03 00:50 . 2006-11-10 01:04 232 ---ha-w C:\sqmdata14.sqm
2009-02-02 22:45 . 2006-11-09 03:10 244 ---ha-w C:\sqmnoopt13.sqm
2009-02-02 22:45 . 2006-11-09 03:10 232 ---ha-w C:\sqmdata13.sqm
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2008-11-04 02:30 . 2006-11-03 21:30 76400 -c--a-w c:\documents and settings\Christopher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-27 03:53 . 2008-08-27 03:47 162 ----a-w c:\documents and settings\Christopher\Application Data\wklnhst.dat
2008-03-17 21:40 . 2008-03-17 21:40 168272 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-11-03 21:30 . 2006-11-03 20:21 134 -c--a-w c:\documents and settings\Christopher\Local Settings\Application Data\fusioncache.dat
2005-08-17 02:52 . 2005-08-17 02:52 136 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-05-24 05:10 . 2006-11-05 00:18 2516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_20.40.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 22:28 . 2009-04-18 22:28 16384 c:\windows\temp\Perflib_Perfdata_1d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]
"Google Update"="c:\documents and settings\Christopher\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

c:\documents and settings\Christopher\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-1 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-30 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2008-09-17 2560]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-03 19:41]

2009-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2489958550-2442091893-1468482008-1006.job
- c:\documents and settings\Christopher\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 08:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gamefaqs.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\p7ndh9bw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\p7ndh9bw.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\p7ndh9bw.default\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\p7ndh9bw.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Christopher\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\CAE36273CE2083AC10451E2C33E7B63B]
"1"=hex:7e,63,ed,e4,ff,c6,da,b0,3c,b3,ff,e0,03,2b,bc,b2,7f,b3,d1,39,03,20,a9,
47,94,35,3b,94,b4,9c,b2,85
"2"=hex:82,9d,b7,04,75,a2,e0,2a
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,cd,df,f6,b8,74,18,fa,
dd,30,dc,88,59,2a,92,45,f1,bd,1f,b7,30,80,7d,13,f4
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(252)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-04-18 17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 22:36
ComboFix2.txt 2009-04-18 20:44
ComboFix3.txt 2009-03-27 19:46
ComboFix4.txt 2009-03-07 03:21

Pre-Run: 6,858,444,800 bytes free
Post-Run: 6,842,851,328 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
388 --- E O F --- 2009-04-15 08:15



Report •

#10
April 18, 2009 at 16:00:34
Now I have clicked around about 20 google links and not one has been redirected so far! Now this virus is strange because there are times when I would only get redirected about 20 percent of the time and then some days it would be nearly 90 percent.

This time things are looking good! I want to make sure its gone though so would it be alright if I took some more time to click around and see how well things run today? Thank you so much for your help so far, I could not end this thing for the life of me. Unless you tell me otherwise, I'm going to see how it goes for a couple of hours and I will post back if I am still problem free or if the problems pop up again.

I have not yet ran the last scan you suggested.


Report •

#11
April 18, 2009 at 17:11:47
The last scan can be delayed a few hours but it is important that it gets run as no one tool finds all the files. If somethings is lurking around it needs to be removed promptly to prevent a reinfection. Also there is some recommended follow-up..

Report •

#12
April 18, 2009 at 17:35:24
I understand. Things still look good too. I will start the next scan in about an hour.

Report •

#13
April 19, 2009 at 00:52:29
Ok here are the results!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 19, 2009 02:00:10
Records in database: 2059402
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
H:\

Scan statistics:
Files scanned: 221132
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 06:11:20

No malware has been detected. The scan area is clean.

The selected area was scanned.


Report •

#14
April 19, 2009 at 05:24:57
Your computer appears to be clean


Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#15
April 19, 2009 at 09:48:50
Thank you so much. Everything seems great. Before I end this however I want to give my PC a restart. It seems that in the past the problems would get worse after a restart, as if the virus was reasserting itself upon start up. Would it be ok if I restart my computer to see if things are still good or are there more steps to take first?

Report •

#16
April 19, 2009 at 10:07:34
Please restart the computer. I don't expect any problems.

Report •

#17
April 19, 2009 at 10:22:54
Wow, everything appears to be working great. I have been trying to get rid of this thing for days! Thank you so much for the help. What was that? why was it so hard to get rid of? I appreciate all the help trimly help. That redirecting problem was most annoying. Thank you so very much!

Report •

#18
April 19, 2009 at 11:14:17
A variant of Vundo.

Glad we could help.


Report •

#19
May 3, 2009 at 19:29:23
thank you so much jabuck, I used your replies to help solve the same problem myself. I knew I should have really gotten individual help on this one to avoid screwing up my computer with all the different programs, but so far, everything looks good. now i'm just wondering why i got the problem in the first place...

Report •


Ask Question