I definitely had/have the Google Redirect Virus. I would appreciate advice in finishing the cleanup. jabuck posted advice on 11/16/2008 under a related thread entitled "Google redirect virus". I followed the first part of jabuck's advise which was to download and run a quick scan using MalwareBytes. MalwareBytes found and fixed the following: Trojan.Agent C:\WINDOWS\SYSTEM32\sysaudio.sys Trojan.Agent C:\WINDOWS\hosts Hijack.StartMenu HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorere\Advanced\StartMenuLogOff After a reboot my PC "appears" to be working aok now, but jabuck also advised to follow up MalwareBytes with Hijack This. I did as he said, and now I have a log from Hijack This that I would like to post here and ask: What do I do next? or Does the log say I am now "clean"? This website is asking me to not post my Hijack This log until someone specifically requests it. I used this site to analyze it: http://hijackthis.de/index.php?lang... and obtained the following automatic analysis advice: 1) A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack. 2) It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. You can look here for a good anti-virus scanner. 3) We didn't detect any active process of a firewall on your system. On item 1) I will check for a newer servie pack (I currently have Windows XP SP3) For item 2) I am using AVG. Why doesnt Hijack This detect it? For item 3) I *DO* have the Windows Firewall off, but am relying on AVG's Firewall. While I am waiting for a reply I will check for an updated service pack, run AdAware, Spybot and do a full scan with AVG. THANKS IN ADVANCE !

The other scans will not be necessary as they will not help. The Hijack This warning is because the forum rules state that to post a Hijack This log it must be at the request of a helper. Please post a new Malwarebytes log and a Hijack This log.

Thanks, jabuck. Here is the Malwarebytes log: Malwarebytes' Anti-Malware 1.31 Database version: 1512 Windows 5.1.2600 Service Pack 3 12/18/2008 7:02:49 AM mbam-log-2008-12-18 (07-02-49).txt Scan type: Quick Scan Objects scanned: 96726 Time elapsed: 47 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\sysaudio.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully. --- Here is the Hijack This log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:18:19 AM, on 12/18/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgfws8.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\ScsiAccess.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\unzipped\WakeupOnStandBy\wosb.exe C:\Documents and Settings\topreed\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Documents and Settings\topreed\Start Menu\Programs\Startup\ScreenRez.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\NOTEPAD.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\topreed\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [WOSB] "C:\unzipped\WakeupOnStandBy\wosb.exe" /run /systray date="12/19/2008" time="07:17:12 AM" standbywait="4:0:0" /psbh weekdays=34 /ast kv="1" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\topreed\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user') O4 - Startup: ScreenRez.exe O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe O4 - Global Startup: officejet 6100.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/as... O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/as... O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommo... O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.charter.com/sdccommo... O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommo... O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rs... O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin... O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/as... O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ssl.city.waltham.ma.us/dana-cached/setup/NeoterisSetup.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/... O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso... O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFIL... O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/OIFActiveX/ofmctlnew.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/70... O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - C:\Program Files\Offline Commander\SSP.DLL O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\ O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.exe -- End of file - 11749 bytes Thanks again!

Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your AVG antivirus, Spybot, Ad-Aware and any other antispyware that you may have. 2. Run Combofix and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet. Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running or move the mouse, it will cause your system to hang.) Please post the log it produces.

I understood you to say disable anti-spam. AVG anti-spam I have disabled -- correct? Here is the ComboFix log. ComboFix 08-12-18.01 - topreed 2008-12-18 21:24:27.1 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.294 [GMT -5:00] Running from: c:\documents and settings\topreed\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\topreed\LOCALS~1\Temp\install_flash_player.exe c:\windows\start.exe c:\windows\system32\ntnet.drv c:\windows\system32\windows.scr c:\windows\Web\default.htt . ((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 ))))))))))))))))))))))))))))))) . 2008-12-18 06:09 . 2008-12-18 06:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-18 06:09 . 2008-12-18 06:09 <DIR> d-------- c:\documents and settings\topreed\Application Data\Malwarebytes 2008-12-18 06:09 . 2008-12-18 06:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-18 06:09 . 2008-12-03 19:54 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-12-18 06:09 . 2008-12-03 19:54 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2008-12-17 10:03 . 2008-12-17 10:03 <DIR> d-------- c:\documents and settings\topreed\Application Data\Deployment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-12 17:01 3,067,904 ------w c:\windows\SYSTEM32\dllcache\mshtml.dll 2008-11-19 17:47 165,584 ----a-w c:\documents and settings\topreed\Application Data\GDIPFONTCACHEV1.DAT 2008-11-05 19:28 90,632 ----a-w c:\windows\system32\drivers\avgtdix.sys 2008-11-05 19:28 50,968 ----a-w c:\windows\SYSTEM32\avgfwdx.dll 2008-11-05 19:28 29,208 ----a-w c:\windows\system32\drivers\avgfwdx.sys 2008-10-30 17:44 98,440 ----a-w c:\windows\system32\drivers\avgldx86.sys 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\dllcache\mrxsmb.sys 2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll 2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\dllcache\gdi32.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\dllcache\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\dllcache\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\dllcache\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\dllcache\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\dllcache\cdm.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe 2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\dllcache\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\dllcache\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll 2008-10-16 01:00 666,112 ----a-w c:\windows\SYSTEM32\wininet.dll 2008-10-16 01:00 666,112 ------w c:\windows\SYSTEM32\dllcache\wininet.dll 2008-10-16 01:00 619,520 ------w c:\windows\SYSTEM32\dllcache\urlmon.dll 2008-10-16 01:00 1,499,136 ------w c:\windows\SYSTEM32\dllcache\shdocvw.dll 2008-10-15 17:34 337,408 ------w c:\windows\SYSTEM32\dllcache\netapi32.dll 2008-10-03 10:02 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll 2008-10-03 10:02 247,326 ------w c:\windows\SYSTEM32\dllcache\strmdll.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll 2007-06-27 01:52 115 ----a-w c:\documents and settings\topreed\Application Data\fusioncache.dat 2006-02-20 11:21 30 ----a-w c:\program files\Exiferupdate.ini 2001-11-17 21:24 4,296,216 ----a-w c:\program files\ICQ2001b.exe 2000-10-13 21:56 271 --sh--w c:\program files\desktop.ini 2000-10-13 21:56 23,357 ---h--w c:\program files\folder.htt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WOSB"="c:\unzipped\WakeupOnStandBy\wosb.exe" [2008-03-06 446464] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624] "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\progra~1\MESSEN~1\msmsgs.exe" [2008-04-13 1695232] "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Printing Migration"="c:\windows\System32\spool\migrate.dll" [2001-08-23 30208] c:\documents and settings\topreed\Start Menu\Programs\Startup\ ScreenRez.exe [2006-03-15 32768] c:\documents and settings\All Users\Start Menu\Programs\Startup\ officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 147456] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-10 24633] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.exe [2000-08-10 65588] hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 323646] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VDOM"= vdowave.drv "VIDC.JPEG"= jpegCode.dll "VIDC.MJPG"= jpegCode.dll "msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm "aux2"= sysaudio.sys [HKLM\~\startupfolder\C:^Documents and Settings^topreed^Start Menu^Programs^Startup^ScreenRez.exe] path=c:\documents and settings\topreed\Start Menu\Programs\Startup\ScreenRez.exe backup=c:\windows\pss\ScreenRez.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^topreed^Start Menu^Programs^Startup^VirtualExpander.lnk] path=c:\documents and settings\topreed\Start Menu\Programs\Startup\VirtualExpander.lnk backup=c:\windows\pss\VirtualExpander.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] --a------ 2008-11-27 08:33 1261336 c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a------ 2008-12-17 10:03 133104 c:\documents and settings\topreed\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-03-14 19:05 257088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] --a------ 2000-08-10 12:00 311350 c:\program files\Microsoft Works\wkssb.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2000-07-19 09:00 176183 c:\program files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] --a------ 2006-09-14 15:38 249927 c:\program files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --------- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskSwitchXP] --a------ 2006-08-04 17:29 62976 c:\program files\TaskSwitchXP\TaskSwitchXP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-06-24 18:32 323584 c:\windows\SYSTEM32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "x10nets"=3 (0x3) "avg8wd"=2 (0x2) "avgfws8"=2 (0x2) "avg8emc"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "WorksFUD"=c:\program files\Microsoft Works\wkfud.exe "Promon.exe"=Promon.exe "SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe "SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe "NVQuickTweak"=RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit "DadApp"=c:\program files\DELL\AccessDirect\dadapp.exe "CPortPatch"=c:\windows\Quick Install\CPPatch.exe "PRPCMonitor"=PRPCUI.exe "MMTray"=c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe "LoadQM"=loadqm.exe "BayMgr"=DockApp.exe "IrMon"=irmon.exe "hf"=c:\program files\HIDEFOLDERS\HF.exe /s "QuickTime Task"=c:\windows\SYSTEM32\qttask.exe "RegShave"=c:\progra~1\REGSHAVE\REGSHAVE.exe /autorun "BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe "tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" /server "TkBellExe"=c:\program files\Common Files\Real\Update_OB\realsched.exe -osboot "Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Media Player\\wmplayer.exe"= "c:\\WINDOWS\\System32\\dpvsetup.exe"= "c:\\Program Files\\ICQ\\Icq.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-04-21 12936] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-04-21 98440] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-04-21 90632] R2 NICSer_WPC11;NICSer_WPC11;c:\program files\Linksys\Wireless Network PC Card\NICServ.exe [2003-08-01 441344] R3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-04-21 29208] R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [2002-12-21 174464] S1 spusbaudio;USB Microphone;c:\windows\system32\drivers\CA506AA.sys [2003-12-28 39824] S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2008-04-21 29208] S3 Dual Mode;Dual Mode Video Capture;c:\windows\system32\DRIVERS\CoachVc.sys [2004-11-26 44928] S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\system32\DRIVERS\islp2nds.sys [2002-10-03 611840] S3 ndcprtns;NDC Network Agent;c:\windows\system32\drivers\ndcprtns.sys [] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000] S3 PRISM;Instant Wireless - Network PC CARD Driver;c:\windows\system32\DRIVERS\PRISMNDS.sys [2001-11-26 52736] S3 SPCA506AV;X10 VA11A Video Capture;c:\windows\system32\DRIVERS\CA506AV.SYS [2003-12-28 162096] S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-23 874776] S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-04-21 231704] S4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2008-11-05 1212184] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e0fe3a0-b40f-11dc-8361-0020e06ccd96}] \Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe *Newly Created Service* - PROCEXP90 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA] rundll rnasetup.dll,installoptionalcomponent rna [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install "c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install "c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl . Contents of the 'Scheduled Tasks' folder 2008-12-18 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\topreed\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 10:03] . - - - - ORPHANS REMOVED - - - - ShellIconOverlayIdentifiers-{E4000AC4-5E5F-4956-807A-C5854405D64F} - %SystemRoot%\system32\VirtualExpander\VEShellExt.dll Notify-avgwlntf - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = 127.0.0.1;localhost uInternet Settings,ProxyServer = 127.0.0.1:4001 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: Download All Files by HiDownload - c:\program files\HiDownload\HDGetAll.htm IE: Download by HiDownload - c:\program files\HiDownload\HDGet.htm Handler: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - c:\program files\Offline Commander\ssp.dll Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\SYSTEM32\NZDD.DLL Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\SYSTEM32\NZDD.DLL O16 -: DirectAnimation Java Classes - c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd c:\windows\SYSTEM32\MSVCRT.DLL - c:\windows\SYSTEM32\MFC42.DLL c:\windows\SYSTEM32\OLEPRO32.DLL c:\windows\SYSTEM32\msvcp60.DLL c:\windows\Downloaded Program Files\ofmctl.lic c:\windows\Downloaded Program Files\ofmctl.dll O16 -: {B2FCED61-570E-11D3-B160-00A0C9E70E84} hxxps://www4.lsac.org/OIFActiveX/ofmctlnew.cab c:\windows\Downloaded Program Files\ofmctl.inf . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-18 21:27:08 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(696) c:\windows\system32\avgrsstx.dll - - - - - - - > 'lsass.exe'(760) c:\windows\system32\avgrsstx.dll . Completion time: 2008-12-18 21:28:17 ComboFix-quarantined-files.txt 2008-12-19 02:28:16 Pre-Run: 349,093,888 bytes free Post-Run: 2,419,228,672 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout = 30 default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 260 --- E O F --- 2008-12-12 03:29:09

Your java is out of date and may have been exploited. Download the latest version of java from this link Java Click on the JRE 6 Update 11 download button. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version. Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux2"=- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: http://www.majorgeeks.com/ATF_Cleaner_d4949.html Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Run an online scan with Kaspersky from the following link: Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. 3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. 4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. 6. Click View scan report at the bottom. 7. Click the Save Report As... button. 8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. **Note** To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Kaspersky has been running for almost 4 hours and is only 60% complete. I had shutdown AVG completely as your instructions (and Kaspersky's) suggest shutting down antivirus or antispyware programs before running Kaspersky. AVG is also my firewall. I became nervous leaving the firewall off for this long (plus possibly another 3 hours) so I have just turned the Windows Firewall on. (AVG is still off, of course) -- Is that OK? Better yet I would like to unplug my connection to the internet for the duration, but Kaspersky was fired up from it's internet site. If I reconnect at, say, 90% complete would that be ok?