Solved Google, Yahoo & other Internet search engines not working

May 15, 2012 at 10:23:01
Specs: Windows XP, Intel Core Duo CPU E8400 @ 3GHz/3.25GB of RAM

The search function in google, yahoo and other search engines is not working on my computer. I'm running windows xp SP2, IE or Firefox, ESET nod32 antivirus, spybot S&D. I've deleted and replaced my hosts file, with no improvement. I can search with Yippy.

Google searches never finish loading and connection times out, otherwise no errors are reported.


See More: Google, Yahoo & other Internet search engines not working

Report •


✔ Best Answer
May 24, 2012 at 12:37:49

I'm still here.

After the above.

Run HJT & use Fix checked to remove this >
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe (file missing)

Recapping, to me it looks like MBAM, TDSS killer, ipconfig /flushdns & ComboFix did the main part of the fixing. I deliberately left ComboFix to last, because it can leave some things disabled ( which is normal, when removing infected parts ) & that scares most people, never hear from them again, probably because they format. I prefer to do it in small steps.
What do you think?

The rest of the work was necessary, so that no stone was left unturned. With 55,000 new unique malware samples per day, no one program can keep up with it.
http://www.southcoastregister.com.a...

You should install SP3 & Update your Java. Any problems installing SP3, make sure you get the EXACT error message & put it into Google. A common reason for not being able to install, is because you are infected. Now you are clean, you should be Ok. Post back here if it won't install.
Download XP SP3
http://www.microsoft.com/download/e...

To remove old and redundant versions of the Java Runtime Environment:
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://raproducts.org/wordpress/
What JavaRa does is to check if your computer has the latest version of Java Runtime Environment (JRE).
If the version you have installed has been superseded by a newer version the program will download and install this newer version for you, by running Java’s update program.
JavaRa then allows you to remove all possible older versions of this program. This way it will ensure that the security of your PC is enhanced will create extra space on your hard disk.

Reduce your Java Cache
http://www.steveshank.com/Newslette...
Dumping Java cache improves browser performance
http://windowssecrets.com/2009/11/1...

Also, I use all of these, they don't clash with anything else.

Adblock Plus
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
https://addons.mozilla.org/firefox/...

Ghostery
http://www.ghostery.com/
http://www.ghostery.com/download
Firefox
https://addons.mozilla.org/en-US/fi...
Internet Explorer
http://www.ghostery.com/download-ie
Chrome
https://chrome.google.com/extension...
Opera
https://addons.opera.com/addons/ext...
Protect your privacy. See who's tracking your web browsing and block them with Ghostery.

Hack lets intruders sneak into home routers
http://tinyurl.com/4pz64fc
http://compnetworking.about.com/od/...
If you haven't changed the default password on your home router, let this recent threat serve as a reminder.



#1
May 15, 2012 at 11:32:57

Is your internet working fine other wise? Are you able to connect a messenger to the internet and use it? Are other programs able to access the internet okay?

Jonas "Jackal" Lear
http://www.sbccrew.com
Serving the South Bay Since 1999


Report •

#2
May 15, 2012 at 15:47:01

yes, my internet is working fine otherwise. I am using mozilla thunderbird for my email messenger and that works fine. Even my gmail account works. The only things that don't work are search engines like google and yahoo. Some websites that use google also are slow to load or never load at all. I can use gmail just fine, but not the google calendar. My ESET antivirus software connects to the internet for updates regularly with no problems.

thanks.


Report •

#3
May 16, 2012 at 09:08:01

I posted this question on Spybot safer networking forums:
http://forums.spybot.info/showthrea...

Report •

Related Solutions

#4
May 17, 2012 at 03:07:01

Try resetting your search in firefox, by using safe mode.

Safe Mode
http://support.mozilla.org/en-US/kb...

Another possible to try.

Disable all add-ons in Firefox, Internet Explorer
http://news.cnet.com/8301-13880_3-1...



Report •

#5
May 17, 2012 at 14:42:16

I disabled all addons and even uninstalled/reinstalled firefox and IE and downloaded and installed bing. didn't fix it.

what do you mean by resetting my search in Safe Mode? Just opening firefox in safe mode and trying to use a search engine?


Report •

#6
May 17, 2012 at 14:45:49

Oh, I see what you mean:

To disable all of Firefox's add-ons, you have to open the browser in its Safe Mode (no relation to Windows' own Safe Mode) by clicking Start > All Programs > Mozilla Firefox > Mozilla Firefox (Safe Mode). A quicker way is to press the Windows key (in XP, follow this by pressing R), type Firefox -safe-mode, and press Enter.

This didn't solve my problem, but thanks, it's good to know how to do this.


Report •

#7
Report •

#8
May 17, 2012 at 15:32:12

I just located your Sysbot post on this link.
http://forums.spybot.info/showthrea...

Infection has enabled proxy
http://www.bleepingcomputer.com/vir...
Start > Control Panel > Internet Options > Connections > LAN settings, untick > Use a proxy server for your LAN. Click OK twice.

Also, install this & remove any Search / toolbars using Advanced mode.

Revo Uninstaller
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.revouninstaller.com/
If you have partially uninstalled your program, you get a message from Revo, that it can't find the uninstaller, hit Cancel & let Revo continue on, to search for the remnants.
If you get a reboot message, ignore it & do it after Revo has finished.
I use Advanced Mode. Screenshots of how to use.
http://img196.imageshack.us/slidesh...
Or,
http://i.imgur.com/Rkkna.gif
http://i.imgur.com/VonCA.gif
http://i.imgur.com/fGmmb.gif
http://i.imgur.com/pdhbV.gif
http://i.imgur.com/6Rq1u.gif
http://i.imgur.com/PmafS.gif
http://i.imgur.com/WKAzw.gif
http://i.imgur.com/wHj6v.gif
http://i.imgur.com/PUV7S.gif


Report •

#9
Report •

#10
May 17, 2012 at 17:21:38

I installed Revo, what should I remove with it? I don't see any Search / toolbars in my list of programs.

In my internet settings, the box for using a proxy was not checked. Do I leave it unchecked?


thanks so much


Report •

#11
May 17, 2012 at 17:31:37

"I installed Revo, what should I remove with it? I don't see any Search / toolbars in my list of programs"

uSearch Bar ( as per your DDS log at Spybot )
Use the Revo Search ( top left ) if you can't find it, try keywords > search or bar or tool

"In my internet settings, the box for using a proxy was not checked. Do I leave it unchecked?"
Yep.


Report •

#12
May 17, 2012 at 17:36:20

I'm having trouble downloading from softpedia, I keep downloading Free Download Manager when I click on the download button for each of these programs. The title of the page says the program I want to download, but I can't find the right file anywhere. Do you know what Free Download Manager is? Should I uninstall that.

Report •

#13
May 17, 2012 at 17:40:07

You are probably clicking the wrong link, here is the correct one.

http://www.softpedia.com/dyn-postdo...


Report •

#14
May 17, 2012 at 17:41:32

I see a program called SearchAssist, get rid of that?

Report •

#15
May 17, 2012 at 17:43:34

thanks, yes I was confused which link to click

Report •

#16
May 17, 2012 at 17:50:40

"I see a program called SearchAssist, get rid of that"

Let me google that, unless you can track it down in your programs & tell me more about it.


Report •

#17
May 17, 2012 at 17:56:13

SearchAssist Is from Dell, I've never used it that I know of.

I don't have uSearch Bar in my list of programs


Report •

#18
May 17, 2012 at 17:57:32

searchassist program

http://is.gd/aeQTov

It is part of Dell's setup, if you have always had the Search problem, maybe it is the cause.

http://dellsearchedit.myway.com/sam...


Report •

#19
May 17, 2012 at 17:59:37

Softpedia downloading.

http://i.imgur.com/vGvML.gif
http://i.imgur.com/Fp7Eo.gif


Report •

#20
May 21, 2012 at 11:04:48

Thanks for the explanations. The search problem only started a couple months ago. I removed Search Assist anyway, but searches still aren't working. I downloaded Comodo Dragon and searches don't work on that browser either. I ran malwarebytes and it detected and deleted some files, then I ran SUPER and it didn't detect anything.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.17.08

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Cad User :: JUDY [administrator]

5/17/2012 6:09:28 PM
mbam-log-2012-05-17 (18-09-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235173
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 25
HKCR\CrossriderApp0002258.BHO (PUP.CrossFire.Gen) -> No action taken.
HKCR\CrossriderApp0002258.BHO.1 (PUP.CrossFire.Gen) -> No action taken.
HKCR\CrossriderApp0002258.FBApi (PUP.CrossFire.Gen) -> No action taken.
HKCR\CrossriderApp0002258.FBApi.1 (PUP.CrossFire.Gen) -> No action taken.
HKCR\CrossriderApp0002258.Sandbox (PUP.CrossFire.Gen) -> No action taken.
HKCR\CrossriderApp0002258.Sandbox.1 (PUP.CrossFire.Gen) -> No action taken.
HKCU\SOFTWARE\I WANT THIS (PUP.GamesPlayLab) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> No action taken.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> No action taken.
HKCR\CLSID\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044224458} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055225558} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{22222222-2222-2222-2222-220022222258} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{33333333-3333-3333-3333-330033223358} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\2258 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\Software\I Want This|HelperRunningVersion (PUP.GamesPlayLab) -> Data: 149 -> No action taken.
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 472846d7ebc34050a93d810710e233f7 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I Want This|Publisher (Adware.GamePlayLab) -> Data: 215 Apps -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 3
C:\Program Files\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cad User\Local Settings\Application Data\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cad User\Local Settings\Application Data\I Want This\Chrome (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Files Detected: 10
C:\Documents and Settings\Cad User\My Documents\Downloads\DownloadManager_Setup.exe (PUP.Bundle.Installer.OI) -> No action taken.
C:\Program Files\I Want This\I Want This.dll (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cad User\Local Settings\Temp\airE3.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want This.ini (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want This.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want This.ico (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want ThisGui.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\I Want ThisInstaller.log (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files\I Want This\Uninstall.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cad User\Local Settings\Application Data\I Want This\Chrome\I Want This.crx (Adware.GamePlayLab) -> Quarantined and deleted successfully.

(end)


Report •

#21
May 21, 2012 at 16:57:38

Ok, thanks for the MBAM log, update & run again in Safe mode please. Post new log.

Make sure you reboot after any cleaning etc.

Next step, lets check these.

How to configure TCP/IP
http://support.microsoft.com/kb/305553
http://www.microsoft.com/windowsxp/...
On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.

Try connecting another computer to your router & see if search is Ok.

resetting a router
http://is.gd/znWeVf


Report •

#22
May 22, 2012 at 13:59:39

I restarted in Safe Mode, ran MBAM again, then rebooted normally. Here is the log, the Adware.GamePlayLab popped up again and was deleted by mbam:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.17.08

Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Cad User :: JUDY [administrator]

5/22/2012 1:50:52 PM
mbam-log-2012-05-22 (13-50-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233397
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\Interface\{77777777-7777-7777-7777-770077227758} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044224458} (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I will follow your next steps now. Thank you very much for your time


Report •

#23
May 22, 2012 at 14:07:22

yes, both "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.

Search works with my laptop hooked up to my router, just not my desktop.

thanks


Report •

#24
May 22, 2012 at 15:32:12

searches are working now! I'm a little amazed because searches were still not working after my last reboot, after the last MBAM scan.

I reset the router as you instructed, and now searches are working. I don't know how it could be the router though, because my other computer worked fine hooked up to the same router.

I also downloaded and installed SRWare Iron

Thank you so much for your help, and thanks for not giving up. Is there anything else I should do to make sure everything keeps working?

Thanks again, you've been awesome.


Report •

#25
May 22, 2012 at 15:38:36

dang it, I spoke to soon, my searches are down again...

I restarted my computer after my last post and now google searches aren't working. At least now I can be more systematic about figuring out what solved it... What should I do now?


Report •

#26
May 22, 2012 at 15:41:07

The Iron-start search feature (not google) does work and it looks to be a better engine than Yippy, so things are looking up.

Report •

#27
May 22, 2012 at 16:00:35

...resetting the router did not help.

I will try MBAM again in safemode.


Report •

#28
May 22, 2012 at 16:09:10

"I will try MBAM again in safemode"

We are getting there.

Please download Unhide
http://www.bleepingcomputer.com/vir...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

Now run MBAM & post log.

Next,

1: Download HijackThis
2: Close all open programs.
3: Run HJT, then Copy & Paste the contents of the log in this post please.
http://sourceforge.net/projects/hjt/


Report •

#29
May 22, 2012 at 16:21:09

ok, will do

Report •

#30
May 22, 2012 at 16:38:28

If your MBAM log indicates "No action taken" again, that's usually a result of NOT clicking the Remove Selected button after the scan.

Report •

#31
May 22, 2012 at 17:07:35

I ran Unhide. Should I reboot before running MBAM? regular or safe mode?

Unhide log:
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 05/22/2012 04:23:36 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 309155 files processed.

Processing the E:\ drive
Finished processing the E:\ drive. 0 files processed.

Processing the F:\ drive
Finished processing the F:\ drive. 0 files processed.

Processing the G:\ drive
Finished processing the G:\ drive. 0 files processed.

Processing the H:\ drive
Finished processing the H:\ drive. 0 files processed.

Processing the I:\ drive
Finished processing the I:\ drive. 379637 files processed.

The C:\DOCUME~1\CADUSE~1\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 05/22/2012 04:44:34 PM
Execution time: 0 hours(s), 20 minute(s), and 58 seconds(s)


Thanks


Report •

#32
May 22, 2012 at 17:15:20

"Should I reboot before running MBAM? regular or safe mode?"

"Reboot" can't see any message in it's log to do so, lets try without the reboot.

Process of elimination, try MBAM in regular mode.


Report •

#33
May 22, 2012 at 17:15:26

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.17.08

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Cad User :: JUDY [administrator]

5/22/2012 5:11:11 PM
mbam-log-2012-05-22 (17-11-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235124
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#34
May 22, 2012 at 17:18:38

Now try MBAM in Safe mode.

How is Search?


Report •

#35
May 22, 2012 at 17:19:06

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:17:06 PM, on 5/22/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Comodo\Dragon\dragon_updater.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Documents and Settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\rsyncd\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe
c:\rsyncd\rsync.exe
C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080708
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Push Client] "C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: COMODO Dragon Update Service (DragonUpdater) - Unknown owner - C:\Program Files\Comodo\Dragon\dragon_updater.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FileOpenManagerSvc - FileOpen Systems Inc. - C:\Documents and Settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Dimension 3D Printers Service (ModelServerWinServiceP) - Stratasys, Inc. - C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe (file missing)
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: rsyncd - Unknown owner - c:\rsyncd\cygrunsrv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10982 bytes


Report •

#36
May 22, 2012 at 17:20:24

search is still a no go, I'll do MBAM in safe mode

thanks


Report •

#37
May 22, 2012 at 17:25:39

HJT log looks good, got rid of > uInternet Settings,ProxyOverride = 127.0.0.1:9421 which was in your Sysbot post.

Report •

#38
May 22, 2012 at 17:26:10

from safe mode with networking

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.17.08

Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Cad User :: JUDY [administrator]

5/22/2012 5:21:55 PM
mbam-log-2012-05-22 (17-21-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233403
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

still no search


Report •

#39
May 22, 2012 at 17:29:54

"HJT log looks good, got rid of > uInternet Settings,ProxyOverride = 127.0.0.1:9421 which was in your Sysbot post."

That is good news. What do you think the problem is? A leftover piece of virus? I don't really understand how these things work. your instructions have been ever so helpful, clear and prompt, thanks


Report •

#40
May 22, 2012 at 17:35:23

"What do you think the problem is? A leftover piece of virus?"
Yep.

Next.

1: Open Internet Explorer and click "Tools" from the top navigation menu.
2: Click "Internet Options", and then click "Accessibility".
3: Uncheck the option labeled "Format Documents Using My Style Sheet". Internet Explorer malware exploits this option when selected in the browser.
Reboot & tell me how IE search is behaving.


Report •

#41
May 22, 2012 at 17:39:45

If your ESET program is up to date, run a full scan, if not use their free online scan.

ESET OnlineScan & post the log.
http://www.eset.eu/online-scanner
http://www.eset.com/us/online-scanner
How can I view the log file from ESET Online Scanner?
http://www.eset.eu/eset-online-scan...


Report •

#42
May 22, 2012 at 17:41:48

The "Format Documents Using My Style Sheet" box was unchecked. My IE search is set to use bing, which does not work: Waiting for http://www.bing.com/search.......
waits forever

thanks, I'll check back here later


Report •

#43
May 22, 2012 at 17:42:47

eset is up to date, it should run every night, I'll run it now

Report •

#44
May 22, 2012 at 18:04:29

"eset is up to date, it should run every night, I'll run it now"

Ok, then check all your browsers proxy settings. IE as before, here are FF's.

Firefox Proxy settings:

Open Firefox, click Tools > Options > Advanced and click the Network Tab.
Under the Connection section click on the Settings... button.
Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
Click OK... then click OK again.
Close Firefox and Restart the computer.

Google Chrome Proxy Settings should be Ok if IE is right, but it won't hurt to check them.
http://googlechrometutorial.com/goo...
Google Chrome uses the same connection and proxy settings as Windows. Changing these settings affects Google Chrome as well as Internet Explorer and other Windows programs.


Report •

#45
May 22, 2012 at 19:30:55

Missed this in HJT, it's been renamed.

After running ESET, run HJT, (select Do a system scan only) and select the following line, but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

check >
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421 & then click on > Fix checked.


Report •

#46
May 22, 2012 at 19:44:25

Next.

At a command prompt, Copy & Paste > ipconfig /flushdns & hit > Enter.
Note:
To open a command prompt, click Start, point to Programs, point to Accessories, and then click Command Prompt.

Now run these tools.

TDSSKiller
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://support.kaspersky.com/faq/?q...
http://support.kaspersky.com/viruse...

Trojan Remover ( 30 day trial )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.simplysup.com/tremover/d...

Post new HJT log please.


Report •

#47
May 22, 2012 at 19:45:33

Next, run SuperAntiSpyware again.

Report •

#48
May 22, 2012 at 21:02:36

great thanks, I will post the logs when I finish each step

Report •

#49
May 22, 2012 at 21:05:14

What time zone are you in Judy, it's 12.05pm Wednesday here in Western Australia.

Report •

#50
May 23, 2012 at 09:13:39

It is now 9:10 Wednesday morning here in California, I'll do all this now before I go to work

Report •

#51
May 23, 2012 at 10:08:56

Here's what I did:
HJT- check the box for R1...proxy override... fix
run cmd- ipconfig/ flushdns
TDSS killer - 4 threats found and deleted
reboot

HJT- check the box for R1...proxy override... fix
run cmd- ipconfig/ flushdns
Trojan Remover- 1 threat found - prevents program and rename
reboot

HJT- check the box for R1...proxy override... fix
run cmd- ipconfig/ flushdns
TDSS Killer - 0 threats
Trojan Remover - 0 threats
SuperASW - 0 threats

HJT- post log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:06:31 AM, on 5/23/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Comodo\Dragon\dragon_updater.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Documents and Settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\rsyncd\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe
c:\rsyncd\rsync.exe
C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080708
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Push Client] "C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: COMODO Dragon Update Service (DragonUpdater) - Unknown owner - C:\Program Files\Comodo\Dragon\dragon_updater.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FileOpenManagerSvc - FileOpen Systems Inc. - C:\Documents and Settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Dimension 3D Printers Service (ModelServerWinServiceP) - Stratasys, Inc. - C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe (file missing)
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: rsyncd - Unknown owner - c:\rsyncd\cygrunsrv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10812 bytes


rebooting...


Report •

#52
May 23, 2012 at 10:18:40

before rebooting, I noticed that the entry for "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>" was back again, so I checked that box and clicked fix. here is the resulting log. All scans are cleans still from TDSS killer, Trojan Remover, and SuperASW. At this moment searches are working. will reboot now.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:15:24 AM, on 5/23/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Comodo\Dragon\dragon_updater.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Documents and Settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\rsyncd\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe
c:\rsyncd\rsync.exe
C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080708
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Push Client] "C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: COMODO Dragon Update Service (DragonUpdater) - Unknown owner - C:\Program Files\Comodo\Dragon\dragon_updater.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FileOpenManagerSvc - FileOpen Systems Inc. - C:\Documents and Settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Dimension 3D Printers Service (ModelServerWinServiceP) - Stratasys, Inc. - C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe (file missing)
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: rsyncd - Unknown owner - c:\rsyncd\cygrunsrv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10702 bytes


Report •

#53
May 23, 2012 at 10:26:06

searches are working now after rebooting even though that entry is still there in my HJT log:

Report •

#54
May 23, 2012 at 10:27:43

posted in parts because this website is blocking me from possible spam flooding...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:21:39 AM, on 5/23/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Comodo\Dragon\dragon_updater.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Documents and Settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\rsyncd\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe
c:\rsyncd\rsync.exe
C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe


Report •

#55
May 23, 2012 at 10:30:30

well, it's there, but I'm having trouble posting the log into this forum now

Report •

#56
May 23, 2012 at 10:35:58

Searches are still working right now, I'll check back after work.

Report •

#57
May 23, 2012 at 11:14:59

here's the rest of the log from post #54

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080708
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Push Client] "C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: COMODO Dragon Update Service (DragonUpdater) - Unknown owner - C:\Program Files\Comodo\Dragon\dragon_updater.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FileOpenManagerSvc - FileOpen Systems Inc. - C:\Documents and Settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Dimension 3D Printers Service (ModelServerWinServiceP) - Stratasys, Inc. - C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe (file missing)
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: rsyncd - Unknown owner - c:\rsyncd\cygrunsrv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11006 bytes


Report •

#58
May 23, 2012 at 12:29:03

Eset log?

I gave TeaTimer away years ago, slowed AV scans & others down too much. Maybe it is also part of your problem, I would uncheck it ( Refer screenshot ) & use SpywareBlaster.

http://i.imgur.com/5iA80.gif

You don't need the hosts file.

Hosts File
http://home.comcast.net/~SupportCD/...
Myth - "Special AntiSpyware Hosts Files are necessary to prevent Spyware infections."
Reality - "Using Special AntiSpyware Hosts Files are a waste of time and leads to a false sense of security. Any Malware/Spyware can easily modify the Hosts File at will, even if it is set to Read-only. It is impossible to "lock-down" a Hosts File unless you are running as a limited user which makes using it in this case irrelevant anyway.

I rename the Hosts file & use SpywareBlaster.
Do a search for the hosts file ( In Windows\system32\drivers\etc ) & rename to > hosts.txt or hostsold.

SpywareBlaster
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.bleepingcomputer.com/tut...
http://www.javacoolsoftware.com/spy...
FAQ
http://www.javacoolsoftware.com/spy...
Forum
http://www.wilderssecurity.com/foru...

Back to bed for me, catch you later.


Report •

#59
May 23, 2012 at 12:44:13

I myself would have ran combo fix a long time ago....when other progs don't give relief...combofix usually works:
http://www.bleepingcomputer.com/com...
Follow the guide carefully

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#60
May 23, 2012 at 14:11:03

The eset scan did not detect any threats, but it did detect this outside of the scan:

time: 5/23/2012 9:24:37 AM
scanner: Real-time file system protection
object: file
name: C:\TDSSKiller_Quarantine\23.05.2012_09.23.26\rtkt0000\svc0000\tsk0000.dta
threat: Win32/Agent.SUC.Gen trojan
action: none
user: JUDY\Cad User
information: Event occurred on a new file created by the application: C:\Documents and Settings\Cad User\My Documents\Downloads\tdsskiller\TDSSKiller.exe.


I unchecked TeaTimer and installed SpywareBlaster. Should I enable SpywareBlaster for IE and Firefox. Does it matter that I already have eset running?

my hosts file is not there, I deleted it a while ago.

Thanks


Report •

#61
May 23, 2012 at 15:07:44

"Should I enable SpywareBlaster for IE and Firefox"
Because it is free, about once a month you need to click on > Download Latest Protection Updates ( also do it now ) Then when you have them, click on > Enable All Protection.

"Does it matter that I already have eset running?"
Refer FAQ's.

"The eset scan did not detect any threats, but it did detect this outside of the scan:"
False Positive.


Report •

#62
May 23, 2012 at 15:09:50

Next,

Run aswMBR
http://public.avast.com/~gmerek/asw...
aswMBR is the rootkit scanner that scans for TDL4/3 and MBRoot (Sinowal) rootkits.
How to scan
#
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
Click the "Fix" in case of infection
Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.
Save the aswASW.log to the desktop


Report •

#63
May 23, 2012 at 15:50:01

Next,

Something you installed, possibly gave you the choice ( a lot of programs do, offer toolbars & other stuff you don't need ) of this Akamai\netsession_win.exe. ( as per HJT )
Here is the info, so you can decide whether you want it.
http://www.nojokeit.com/2011/11/win...


Report •

#64
May 23, 2012 at 16:07:35

enabled SpywareBlaster (read faqs, thanks), uninstalled Akamai, ran aswMBR Scan, no infection, I did not click FixMBR.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-23 15:59:57
-----------------------------
15:59:57.531 OS Version: Windows 5.1.2600 Service Pack 2
15:59:57.531 Number of processors: 2 586 0x1706
15:59:57.531 ComputerName: JUDY UserName:
15:59:58.437 Initialize success
16:00:08.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:00:08.703 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
16:00:08.718 Disk 0 MBR read successfully
16:00:08.718 Disk 0 MBR scan
16:00:08.718 Disk 0 Windows XP default MBR code
16:00:08.718 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
16:00:08.734 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 476866 MB offset 128520
16:00:08.734 Disk 0 scanning sectors +976752000
16:00:08.812 Disk 0 scanning C:\WINDOWS\system32\drivers
16:00:14.468 Service scanning
16:00:44.187 Modules scanning
16:01:03.906 Disk 0 trace - called modules:
16:01:03.906 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:01:03.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a68c478]
16:01:03.937 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a6bc030]
16:01:03.937 Scan finished successfully
16:02:02.718 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Cad User\My Documents\Judy\virus\MBR.dat"
16:02:02.781 The log file has been saved successfully to "C:\Documents and Settings\Cad User\My Documents\Judy\virus\aswMBR.txt"


Report •

#65
May 23, 2012 at 16:10:53

search is working now, has not stopped working since this morning. Just rebooted and search is still working :) ?

thanks for all the help, I don't know when you sleep. Let me know what to do next.


Report •

#66
May 23, 2012 at 16:12:38

"enabled SpywareBlaster (read faqs, thanks), uninstalled Akamai, ran aswMBR Scan, no infection, I did not click FixMBR."

Ok, all good. Nearly finished what I had on my step by step process.

Next.

Run ComboFix
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#67
May 23, 2012 at 16:47:13

oh combofix....cool! LOL response #59. It may have shortened this thread by half LOL

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#68
May 24, 2012 at 09:37:11

ComboFix 12-05-24.02 - Cad User 05/24/2012 9:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2336 [GMT -7:00]
Running from: c:\documents and settings\Cad User\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Cad User\WINDOWS
C:\Documents
c:\windows\system32\CCXPButton.ocx
I:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FileOpenManagerSvc
-------\Service_FileOpenManagerSvc
.
.
((((((((((((((((((((((((( Files Created from 2012-04-24 to 2012-05-24 )))))))))))))))))))))))))))))))
.
.
2012-05-23 20:36 . 2012-05-23 22:39 -------- d-----w- c:\program files\SpywareBlaster
2012-05-23 16:27 . 2010-10-24 14:06 598528 ----a-w- c:\windows\system32\ztv7z.dll
2012-05-23 16:27 . 2010-10-24 14:06 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-05-23 16:27 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-05-23 16:27 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-05-23 16:27 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-05-23 16:27 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-05-23 16:27 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-05-23 16:27 . 2012-05-23 16:27 -------- d-----w- c:\program files\Trojan Remover
2012-05-23 16:27 . 2012-05-23 16:27 -------- d-----w- c:\documents and settings\Cad User\Application Data\Simply Super Software
2012-05-23 16:27 . 2012-05-23 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2012-05-23 16:24 . 2012-05-23 16:24 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-22 22:18 . 2012-05-22 22:18 -------- d-----w- c:\documents and settings\Cad User\Local Settings\Application Data\Chromium
2012-05-22 22:17 . 2012-05-22 22:18 -------- d-----w- c:\program files\SRWare Iron
2012-05-18 01:23 . 2012-05-18 01:23 -------- d-----w- c:\documents and settings\Cad User\Application Data\SUPERAntiSpyware.com
2012-05-18 01:23 . 2012-05-18 01:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-18 01:23 . 2012-05-18 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-05-18 01:08 . 2012-05-18 01:08 -------- d-----w- c:\documents and settings\Cad User\Application Data\Malwarebytes
2012-05-18 01:08 . 2012-05-18 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-18 01:08 . 2012-05-18 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-18 01:08 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-18 00:59 . 2012-05-21 17:44 45320 ----a-w- c:\windows\system32\certsentry.dll
2012-05-18 00:59 . 2012-05-18 00:59 -------- d-----w- c:\documents and settings\Cad User\Local Settings\Application Data\COMODO
2012-05-18 00:59 . 2012-05-18 00:59 -------- d-----w- c:\program files\Comodo
2012-05-18 00:59 . 2012-05-18 00:59 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-05-18 00:28 . 2012-05-21 17:43 -------- d-----w- c:\program files\Free Download Manager
2012-05-18 00:27 . 2012-05-18 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor
2012-05-18 00:15 . 2012-05-18 00:15 -------- d-----w- c:\program files\VS Revo Group
2012-05-18 00:10 . 2012-05-18 00:10 -------- d-----w- c:\documents and settings\Cad User\Local Settings\Application Data\ESET
2012-05-17 17:03 . 2012-05-17 17:03 -------- d-----w- c:\program files\Adobe Media Player
2012-05-16 15:12 . 2012-05-16 15:12 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-16 15:12 . 2012-05-16 15:12 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-16 15:12 . 2012-05-16 15:12 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-15 23:14 . 2012-05-15 23:14 -------- d-----w- c:\program files\ERUNT
2012-05-02 18:29 . 2012-05-02 18:29 -------- d-----w- c:\documents and settings\Cad User\Local Settings\Application Data\join.me
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-23 16:25 . 2004-08-04 04:07 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-05-15 15:03 . 2012-04-23 16:58 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-15 15:03 . 2011-07-12 15:54 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-10 22:01 . 2012-04-10 22:01 388096 ----a-r- c:\documents and settings\Cad User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2008-12-10 22:50 . 2008-12-10 22:50 118784 -c--a-w- c:\program files\internet explorer\plugins\LV86ActiveXControl.dll
2012-05-16 15:12 . 2012-04-02 19:51 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Cad User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Cad User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Cad User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Cad User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"Akamai NetSession Interface"="c:\documents and settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-05-08 3331872]
"Push Client"="c:\documents and settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe" [2011-04-27 966944]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-20 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-15 8523776]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-11 1015808]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2009-03-19 7308584]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-29 181544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 3080264]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2012-05-14 1266448]
.
c:\documents and settings\Cad User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-10 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Cad User^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Cad User\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Cad User^Start Menu^Programs^Startup^SolidWorks Task Scheduler Engine.lnk]
path=c:\documents and settings\Cad User\Start Menu\Programs\Startup\SolidWorks Task Scheduler Engine.lnk
backup=c:\windows\pss\SolidWorks Task Scheduler Engine.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Dimension\\CatalystEX 4.0\\nt\\CatalystEX.exe"=
"c:\\Program Files\\ASL Software 3.1\\ASL5000_SW3.1.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Barnes & Noble\\NOOKstudy\\NOOKStudy.exe"=
"c:\\Documents and Settings\\Cad User\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Documents and Settings\\Cad User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6882:TCP"= 6882:TCP:Blizzard Downloader: 6882
"1051:TCP"= 1051:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [8/4/2011 10:20 AM 118104]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/4/2011 10:20 AM 103112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 12:30 PM 79168]
R2 DragonUpdater;COMODO Dragon Update Service;c:\program files\Comodo\Dragon\dragon_updater.exe [5/16/2012 5:02 AM 412304]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/22/2011 1:03 PM 974944]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]
R2 ModelServerWinServiceP;Dimension 3D Printers Service;c:\program files\Dimension\CatalystEX 4.0\nt\ModelServer.exe [1/16/2009 3:11 PM 442368]
R2 rsyncd;rsyncd;c:\rsyncd\cygrunsrv.exe [7/11/2008 1:08 PM 43008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/3/2012 10:27 AM 136176]
S2 msav;Moon Secure Antivirus Core;c:\program files\Moon Secure Antivirus\msavcore.exe --> c:\program files\Moon Secure Antivirus\msavcore.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/23/2012 9:58 AM 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/3/2012 10:27 AM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/16/2012 8:12 AM 129976]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 15:03]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-03 17:27]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-03 17:27]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.55.254
FF - ProfilePath - c:\documents and settings\Cad User\Application Data\Mozilla\Firefox\Profiles\47qy0m22.default\
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-AdobeBridge - (no file)
SafeBoot-27796257.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-24 09:30
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2084)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\documents and settings\Cad User\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\windows\system32\nvsvc32.exe
c:\rsyncd\rsync.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-24 09:33:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-24 16:33
.
Pre-Run: 348,732,022,784 bytes free
Post-Run: 349,067,210,752 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - DDF52F35FEE7192F115455D404E24E8E

Report •

#69
May 24, 2012 at 09:44:06

ran combofix.
symptom update: searches are working. pages are loading completely faster. This webpage, for instance, was loading enough to work with, but the wheel would keep on spinning and never fully load. Now it loads in a few seconds.

new HJT:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:39:18 AM, on 5/24/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Comodo\Dragon\dragon_updater.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\rsyncd\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe
c:\rsyncd\rsync.exe
C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=5080708
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Cad User\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Push Client] "C:\Documents and Settings\Cad User\Local Settings\Application Data\ATT Connect\Participant\pull.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Cad User\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: COMODO Dragon Update Service (DragonUpdater) - Unknown owner - C:\Program Files\Comodo\Dragon\dragon_updater.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Dimension 3D Printers Service (ModelServerWinServiceP) - Stratasys, Inc. - C:\Program Files\Dimension\CatalystEX 4.0\nt\ModelServer.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe (file missing)
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corporation - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: rsyncd - Unknown owner - c:\rsyncd\cygrunsrv.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9993 bytes


Report •

#70
May 24, 2012 at 12:01:58

"Now it loads in a few seconds"
Perfect.

Next,

uninstall combofix & Moon in this order. Give me screenshots of all of what Revo sees before you start, please.

How to uninstall combofix
http://www.myantispyware.com/2008/0...

Antivirus
http://www.techsupportteam.org/foru...
Important: You should only have one antivirus and one firewall running at any time. If you have two or more of either running then deactivate or uninstall all but one of each.
Step 3: Antivirus
http://www.help2go.com/content/tuto...
You should have an up-to-date anti-virus program running on your computer. Anti-virus is NOT like anti-spyware. You should only have ONE anti-virus program running on your PC.
Install Revo as previously mentioned & use Advanced mode to uninstall > Moon Secure Antivirus ( has'nt been updated for 18 mnths )

Run TFC next & then weekly. ( It will go deeper than CCleaner )
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it.
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Back to bed for me.


Report •

#71
May 24, 2012 at 12:28:40

revo programs list

http://i.imgur.com/EUN8X.png


Report •

#72
May 24, 2012 at 12:37:49
✔ Best Answer

I'm still here.

After the above.

Run HJT & use Fix checked to remove this >
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe (file missing)

Recapping, to me it looks like MBAM, TDSS killer, ipconfig /flushdns & ComboFix did the main part of the fixing. I deliberately left ComboFix to last, because it can leave some things disabled ( which is normal, when removing infected parts ) & that scares most people, never hear from them again, probably because they format. I prefer to do it in small steps.
What do you think?

The rest of the work was necessary, so that no stone was left unturned. With 55,000 new unique malware samples per day, no one program can keep up with it.
http://www.southcoastregister.com.a...

You should install SP3 & Update your Java. Any problems installing SP3, make sure you get the EXACT error message & put it into Google. A common reason for not being able to install, is because you are infected. Now you are clean, you should be Ok. Post back here if it won't install.
Download XP SP3
http://www.microsoft.com/download/e...

To remove old and redundant versions of the Java Runtime Environment:
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://raproducts.org/wordpress/
What JavaRa does is to check if your computer has the latest version of Java Runtime Environment (JRE).
If the version you have installed has been superseded by a newer version the program will download and install this newer version for you, by running Java’s update program.
JavaRa then allows you to remove all possible older versions of this program. This way it will ensure that the security of your PC is enhanced will create extra space on your hard disk.

Reduce your Java Cache
http://www.steveshank.com/Newslette...
Dumping Java cache improves browser performance
http://windowssecrets.com/2009/11/1...

Also, I use all of these, they don't clash with anything else.

Adblock Plus
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
https://addons.mozilla.org/firefox/...

Ghostery
http://www.ghostery.com/
http://www.ghostery.com/download
Firefox
https://addons.mozilla.org/en-US/fi...
Internet Explorer
http://www.ghostery.com/download-ie
Chrome
https://chrome.google.com/extension...
Opera
https://addons.opera.com/addons/ext...
Protect your privacy. See who's tracking your web browsing and block them with Ghostery.

Hack lets intruders sneak into home routers
http://tinyurl.com/4pz64fc
http://compnetworking.about.com/od/...
If you haven't changed the default password on your home router, let this recent threat serve as a reminder.


Report •

#73
May 24, 2012 at 12:51:57

The programs that we installed can be kept ( ComboFix needs a new version for every use ) Because they are Free, MBAM & SUPERAntiSpyware need manual updating & whilst they do not run in realtime & cannot stop you getting infected, they are great for removing infections.

Report •

#74
May 24, 2012 at 12:52:35

"What do you think?" I am grateful and I appreciate the step-by-step process that you took me through.

I ran HJT & used Fix checked to remove Moon, but it's still there when I scan again. Moon was the anti-virus that I used a while ago and have since uninstalled and switched to avast, then I uninstalled avast and switched to eset recently, which I paid for 2yrs subscription.

I tried installing SP3 in the past but it wouldn't install. I will try now


Report •

#75
May 24, 2012 at 12:53:45

And finally, here is a super good step by step check of your system. Because there is more than one way to fix computers, he does do some things different to me. I would keep this on both your computers & a thumb drive.
http://www.selectrealsecurity.com/m...

You made things very easy Judy & followed instructions beautifully.

More good info here.

Malware Prevention
http://www.malwarevault.com/index.html
"There is no magic involved. The majority of malware is installed by the user themselves"
Malware Prevention and Avoidance
http://www.malwarevault.com/prevent...
ScareWare Prevention and Avoidance
http://www.malwarevault.com/scarewa...
Secure your computer
http://www.staysmartonline.gov.au/h...


Report •

#76
May 24, 2012 at 13:11:31

"I ran HJT & used Fix checked to remove Moon, but it's still there when I scan again"

Go into Services Judy & Disable.

To access Services.
Start > My Computer, right click & select Manage.
Click on the + next to Services and Applications.
Click on Services.
Or,
Start > Control Panel > Administrative Tools > Services.
http://www.theeldergeek.com/microso...

Do not use "msconfig" to disable services, type "services.msc" in the Run box instead! (Why?)
The reason is because with msconfig and Hardware Profiles, you can disable services that may be vital to boot your system. With the management console (services.msc) you cannot. Also, msconfig, while unchecking the box, is disabling the service.


Report •

#77
May 24, 2012 at 14:14:14

disabled Moon in services, ran TFC, installed SP3 (it worked!), updated Java, ran JavaRa- JavaRa says it got rid of the older versions, but Java 6 is still in my Revo list next to Java7, added ghostery to FF and IE and adblock plus to FF.

...whew

I'm learning so much, thanks


Report •

#78
May 24, 2012 at 14:32:40

...whew

Good news.

"but Java 6 is still in my Revo list"

Because a newer version is installed, this is one of those occasions you don't use Advanced mode in Revo.

Uninstall using the 1st option > Built-in.


Report •

#79
May 24, 2012 at 14:35:49

"installed SP3 (it worked!)"

I keep the SP3 file for other comps I work on & in case I need it for the future.


Report •

#80
May 24, 2012 at 15:10:12

installed programs list:

http://i.imgur.com/Akb8O.png


Report •

#81
May 24, 2012 at 16:24:11

"installed programs list"

No java 6, good.


Report •

#82
May 24, 2012 at 16:46:45

that one was a pain, I ended up using revo to uninstall all versions and then reinstalled java 7

I turned on my windows firewall, which I usually have turned off becuase I'd thought that was causing my problems. It's back on now and all's well. I'm running eset antivirus. SpywareBlaster I will update regularly. I will run TFC regularly, does that need to be updated? I'll keep MBAM and SuperASW just in case.

thank you, thank you!


Report •

#83
May 24, 2012 at 17:04:01

"I ended up using revo to uninstall all versions and then reinstalled java 7"
Good thinking.

"windows firewall"
That's what I use.

"I will run TFC regularly, does that need to be updated?"
He will probably bring out a new version to cover Windows 8, other than that, all you can do is check the geekstogo site now & then.

With CCleaner, I would run it by pressing the 2nd button > Registry.

Then before using the 1st button, show me your settings ( screenshots ) for both tabs, you may have to use the scroll bar, to get everything.


Report •

#84
May 24, 2012 at 17:11:38

sweet, I probably wont get to this till tomorrow

Report •

#85
May 24, 2012 at 17:15:11

Ok, catch you when you are ready.

Report •

#86
May 25, 2012 at 10:36:24

Ccleaner scan 1 of 2, scan 2 of 2, settings-applications, settings-windows:

http://imgur.com/2xOBI
http://imgur.com/GKR9g
http://imgur.com/6IJMP
http://imgur.com/VmHHS


Report •

#87
May 25, 2012 at 14:08:04

"http://imgur.com/2xOBI
http://imgur.com/GKR9g"
Ok, remove all those by clicking > Fix selected issues.

I set all my browser caches to 50mb. Here is how to do IE.
http://www.bleepingcomputer.com/tut...

I download the Softpedia ad-free version which is always about one week behind the regular version. 3.19.1721 is just around the corner.
http://www.softpedia.com/get/Securi...

"http://imgur.com/VmHHS"
I set mine up this way because I prefer to keep the cookies for sites I regularly visit with a password.

Internet Explorer
I only have Cookies checked. Only unwanted cookies are removed, the rest are saved as per SS's
http://i.imgur.com/AKghG.gif
http://i.imgur.com/rBvJi.gif
http://i.imgur.com/kECGW.gif

Windows Explorer
Purely personal, I only check > Search Autocomplete.

System
Same as you.

Advanced
Same as you.

http://imgur.com/6IJMP

Firefox/Mozilla
I only check Cookies & Session

Google Chrome
I only check > Cookies, Download Session, History

Applications
Leave as is.

Internet
Leave as is.

Multimedia
Leave as is.

Utilities
Leave as is.

Windows
I don't check > Regedit

Now you can click on > Run Cleaner


Report •

#88
Report •


Ask Question