firefly34

Hello,

I have a problem with my google browser. When ever I click a link from a search result list it will go to some random website for a second and then return back to the google search result list. I have to click several times on my desired link for it to go there properly.

Here is the DSS text:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Stephen Whang at 19:28:23.92 on Sat 06/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.68 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\PROGRA~1\sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\SpyZooka\spyzooka.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Stephen Whang\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ms_welcome
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: {cd5d0da1-19c2-4c73-81f6-ed391ac7986b} - c:\windows\system32\cnetclt.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SpyZooka] c:\program files\spyzooka\SpyZookaLdr.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\sony\image converter 2\menu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: SpyZooka Service Hook: {d468bce5-d18e-49a4-8ea7-34bd583659d5} - c:\progra~1\spyzooka\spyguard.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [2004-7-23 50312]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090617.003\NAVENG.Sys [2009-6-17 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090617.003\NavEx15.Sys [2009-6-17 876144]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\SAVRT.SYS [2004-7-23 338056]
S3 lredbooo;lredbooo;\??\c:\docume~1\stephe~1\locals~1\temp\lredbooo.sys --> c:\docume~1\stephe~1\locals~1\temp\lredbooo.sys [?]

=============== Created Last 30 ================

2009-06-20 18:57 <DIR> --d----- c:\program files\Trend Micro
2009-06-20 18:16 <DIR> --d----- c:\docume~1\stephe~1\applic~1\Malwarebytes
2009-06-20 18:15 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 18:15 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-20 18:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-20 18:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 15:55 <DIR> --d----- c:\windows\system32\scripting
2009-06-20 15:55 <DIR> --d----- c:\windows\l2schemas
2009-06-20 15:55 <DIR> --d----- c:\windows\system32\en
2009-06-20 15:55 <DIR> --d----- c:\windows\system32\bits
2009-06-20 15:53 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-20 15:47 <DIR> --d----- c:\windows\EHome
2009-06-20 14:53 <DIR> --d----- c:\program files\SpyZooka
2009-06-20 13:33 552 a------- c:\windows\system32\d3d8caps.dat
2009-06-20 13:16 <DIR> --d----- c:\windows\ERUNT
2009-06-20 13:10 <DIR> --d----- C:\SDFix
2009-06-20 11:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-06-20 15:57 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-03-24 12:53 40 a------- c:\documents and settings\stephen whang\language.dat

============= FINISH: 19:30:25.35 ===============

I have attached the 2 other logs are well. I use Internet Explorer. Thank you.

Attached Files

Attach.zip (4.3 KB, 1 views)

Angelfire777

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Note: Please rename combofix.exe to cfix.exe

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

firefly34

Here is my combofix log:

ComboFix 09-06-21.01 - Stephen Whang 06/22/2009 14:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.125 [GMT -4:00]
Running from: c:\documents and settings\Stephen Whang\My Documents\cfix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1665365184-1828499859-3005685416-1003
c:\recycler\S-1-5-21-192255875-731729221-598930852-1003
c:\recycler\S-1-5-21-3968966495-137116618-2045513453-1003
c:\recycler\S-1-5-21-971334563-1478690862-3778208101-1003
c:\recycler\S-1-5-21-1665365184-1828499859-3005685416-1003\desktop.ini
c:\recycler\S-1-5-21-1665365184-1828499859-3005685416-1003\INFO2
c:\recycler\S-1-5-21-192255875-731729221-598930852-1003\desktop.ini
c:\recycler\S-1-5-21-192255875-731729221-598930852-1003\INFO2
c:\recycler\S-1-5-21-3968966495-137116618-2045513453-1003\desktop.ini
c:\recycler\S-1-5-21-3968966495-137116618-2045513453-1003\INFO2
c:\recycler\S-1-5-21-971334563-1478690862-3778208101-1003\desktop.ini
c:\recycler\S-1-5-21-971334563-1478690862-3778208101-1003\INFO2
c:\windows\setup.exe
c:\windows\system32\drivers\SKYNETgtehjrvx.sys
c:\windows\system32\SKYNETmlrulkyo.dat
c:\windows\system32\SKYNETtgjdyfai.dll
c:\windows\system32\SKYNETunaocjek.dll
c:\windows\system32\SKYNETyefmcput.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETlmtoawuj


((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-06-21 02:34 . 2009-06-21 02:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-21 02:14 . 2009-06-21 03:01 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-21 02:05 . 2009-06-21 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-20 22:57 . 2009-06-20 22:57 -------- d-----w- c:\program files\Trend Micro
2009-06-20 22:16 . 2009-06-20 22:16 -------- d-----w- c:\documents and settings\Stephen Whang\Application Data\Malwarebytes
2009-06-20 22:15 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 22:15 . 2009-06-20 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 22:15 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-20 22:15 . 2009-06-20 22:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 19:55 . 2009-06-20 19:55 -------- d-----w- c:\windows\system32\scripting
2009-06-20 19:55 . 2009-06-20 19:55 -------- d-----w- c:\windows\l2schemas
2009-06-20 19:55 . 2009-06-20 19:55 -------- d-----w- c:\windows\system32\en
2009-06-20 19:55 . 2009-06-20 19:55 -------- d-----w- c:\windows\system32\bits
2009-06-20 19:53 . 2009-06-20 19:55 -------- d-----w- c:\windows\ServicePackFiles
2009-06-20 19:47 . 2009-06-20 19:47 -------- d-----w- c:\windows\EHome
2009-06-20 17:33 . 2009-06-20 17:33 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-20 17:16 . 2009-06-20 17:16 -------- d-----w- c:\windows\ERUNT
2009-06-20 17:10 . 2009-06-20 18:23 -------- d-----w- C:\SDFix
2009-06-20 16:52 . 2009-06-20 19:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 15:47 . 2009-06-20 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Stephen Whang\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-22 18:36 . 2005-03-08 00:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-22 04:03 . 2008-07-02 15:14 -------- d-----w- c:\program files\Starcraft
2009-06-20 20:16 . 2005-07-02 23:21 100960 ----a-w- c:\documents and settings\Stephen Whang\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-20 19:57 . 2005-03-03 00:56 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-20 18:47 . 2009-03-24 00:23 -------- d-----w- c:\documents and settings\Stephen Whang\Application Data\Move Networks
2009-05-07 15:32 . 2005-03-02 23:44 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-03-02 23:44 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-03-02 23:44 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 04:35 . 2008-10-01 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-17 12:26 . 2005-03-02 23:44 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-03-02 23:44 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"SsAAD.exe"="c:\progra~1\sony\SONICS~1\SsAAD.exe" [2005-01-25 81920]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-11-19 100056]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-14 77824]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-11-29 2748928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R3 lredbooo;lredbooo;c:\docume~1\STEPHE~1\LOCALS~1\Temp\lredbooo.sys [x]
R3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-18 311872]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-18 7520337]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Stephen Whang.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-08-30 17:54]
.
- - - - ORPHANS REMOVED - - - -

BHO-{cd5d0da1-19c2-4c73-81f6-ed391ac7986b} - c:\windows\system32\cnetclt.dll
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-VAIO Recovery - c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ms_welcome
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 14:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-323696375-299214276-2295560852-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-22 14:45
ComboFix-quarantined-files.txt 2009-06-22 18:45

Pre-Run: 163,650,498,560 bytes free
Post-Run: 164,027,510,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

166 --- E O F --- 2009-06-22 17:53

Angelfire777

Hi,


*I see you have Viewpoint installed...
Viewpoint related software are considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player

*Open notepad.
Copy and paste the text inside the code box below to notepad

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.



*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 14.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14".
• Click the "Download" button to the right.
• For Platform, select "Windows"
• For language, select your language
• Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  • J2SE Runtime Environment 5.0
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

firefly34

I have attached the two logs. Thanks.

Attached Files

log.zip (5.0 KB, 3 views)

Angelfire777

Hi,

What kaspersky found were basically a false positive and files inside your Antivirus' quarantine so there is no need to worry about them.

I would like you to empty your Norton Internet Security quarantine, let me know if you need help on that.

After that, click start > run > copy and paste:

cmd /c rd /s/q "c:\documents and settings\All Users\Application Data\Viewpoint"

press enter.


Let me know how's it running.

firefly34

Yes, could you please tell me how to empty the quarantine? My computer is running fine now. Although, it does start up alittle slower when I turn it on.

Angelfire777

You could navigate to this folder then delete everything in it:

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine

Can you describe the slowness further? Is it this slow before?

firefly34

Yes it does seem to start up slower. After the 'welcome' screen, the computer will load with just my wallpaper in the background with no icons or anything. It takes around 47 seconds to load like this. Maybe it took this long before, but to me it just seems longer.

Also, I entered the above line in the run command and it didn't really do anything. What was that for? I did delete viewpoint btw.

Angelfire777

Sorry, which command are you talking about?

Please try booting to safe mode and let me know if the same problem persists there.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


I highly suspect it's Norton that's causing the slowness. Your machine has only around 512MB of RAM and from experience, that isn't enough to run the whole Norton suite. Try uninstalling Norton if booting to safe mode is fast for you.