Google is Hijacked! Results can't be reached

[raynorth]

Thanks for looking into this - My problem is on Google and other select search engines where I can do a search and get a list of results, but when I click on the result to link to the website, I am randomly redirected to another search engine site.

This only happens on links actually on a search engine site. Links from non-search engine sites work fine. The listed URLs on the search engine results are still the actual URL for the result- not a different link. As I watch the progress of the new page download, I can see that IE goes for the correct URL, but then redirects to a different search engine.

I tried to update Windows XP Home, and couldn't. In fact, all my spyware and virus software (Adaware 2007, CA Internet Security Suite, Trend Micro Security Suite, Windows) will not update. (btw - I uninstalled CA ISS when I installed Trend Micro).

Can you help?

[raynorth]

BUMP, please

[tetonbob]

Hi -

Deckard's System Scanner should also have produced another log, main.txt

It should be located at C:\Deckard\System Scanner\main.txt

Please post it.

[raynorth]

Here it is. Thanks.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-01 23:31:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
89: 2008-07-02 04:31:58 UTC - RP644 - Deckard's System Scanner Restore Point
88: 2008-07-01 21:58:17 UTC - RP643 - System Checkpoint
87: 2008-06-30 21:44:49 UTC - RP642 - Installed Trend Micro Internet Security
86: 2008-06-30 21:22:33 UTC - RP641 - Removed Ad-Aware 2007
85: 2008-06-30 21:17:18 UTC - RP640 - Removed CA Parental Controls


-- First Restore Point --
1: 2008-04-20 04:02:36 UTC - RP556 -


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:49 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\VPN Client\cvpnd.exe
C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Roboform\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Equitrac\Office\Client\EQPopupLauncher.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~2\Owner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Roboform\roboform.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Roboform\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdlmx.exe] C:\WINDOWS\system32\kdlmx.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Roboform\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Roboform\RoboTaskBarIcon.exe" (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.allregs.com
O15 - Trusted Zone: http://*.mortgagemarketguide.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1139797503453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1139797489953
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/...loadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClic...tClickLoan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0291FD9C-C142-4648-8C04-4735EB11B28C}: NameServer = 85.255.113.78,85.255.112.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B22783D-D225-4D84-962C-F2F4058ADF83}: NameServer = 85.255.113.78,85.255.112.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{59B1A4FF-0238-4CF4-A7E8-18869A3B311C}: NameServer = 85.255.113.78,85.255.112.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{737BF0BD-EB76-4A92-AEBC-0A702CD6CA5A}: NameServer = 85.255.113.78,85.255.112.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{C54D8892-2B84-4B92-BB87-89E80FAFA921}: NameServer = 85.255.113.78,85.255.112.38
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.38
O17 - HKLM\System\CS2\Services\Tcpip\..\{0291FD9C-C142-4648-8C04-4735EB11B28C}: NameServer = 85.255.113.78,85.255.112.38
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.38
O17 - HKLM\System\CS3\Services\Tcpip\..\{0291FD9C-C142-4648-8C04-4735EB11B28C}: NameServer = 85.255.113.78,85.255.112.38
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.38
O20 - AppInit_DLLs: EQDtpSp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\VPN Client\cvpnd.exe
O23 - Service: EQ Shared Engine (EQSharedEngine) - Equitrac - C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Prints Spoolers Services (PssInsv) - Unknown owner - C:\Program Files\System\svchost.exe (file missing)
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 12955 bytes

-- File Associations -----------------------------------------------------------

.scr - DWGTrueViewScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 RCFOX (SonicWALL IPsec Driver) - c:\windows\system32\drivers\rcfox.sys <Not Verified; SonicWALL, Inc.; RCFOX IPSec Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.0.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3>
R2 ssoftnt4 - c:\windows\system32\drivers\ssoftnt4.sys
R3 TunRDriverV32 - c:\windows\system32\drivers\tunrdriverv32.sys <Not Verified; Windows (R) 2000/XP; Windows (R) 2000/XP Driver>
R3 TunRVideo32 - c:\windows\system32\drivers\tunrvideo32.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S2 ylookuwd - c:\windows\system32\drivers\ldnztm.sys (file missing)
S3 EMCFILT (Alcor Micro Corp for Emachine- 9361) - c:\windows\system32\drivers\emcfilt.sys <Not Verified; Alcor Micro Corp.; emcfilt>
S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Canon NetSpot Suite Service - c:\program files\canon\vdc\auvdc.exe <Not Verified; CANON INC.; NetSpot Suite>
R2 EQSharedEngine (EQ Shared Engine) - "c:\program files\equitrac\office\client\eqsharedengine.exe" <Not Verified; Equitrac; Equitrac Platform Component>
R2 ssoftservice (Cryptainer service) - cryptainersrv.exe <Not Verified; Cypherix Software (India) Pvt. Ltd.; Cryptainer>

S2 PssInsv (Prints Spoolers Services) - c:\program files\system\svchost.exe (file missing)
S3 RampartSvc (SonicWall VPN Client Service) - c:\program files\sonicwall\sonicwall global vpn client\rampartsvc.exe <Not Verified; SonicWALL, Inc.; RampartSvc Module>
S3 SoundMovieServer - "c:\windows\system32\snmvtsvc.exe" <Not Verified; SoundMovieServer; SoundMovieServer>
S4 ProtectsStore (RtoAutos) -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-06-30 16:46:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-30 14:19:43 0 d-------- C:\Program Files\Trend Micro
2008-06-29 12:19:56 6 --a------ C:\WINDOWS\system32\mkghj.dll
2008-06-29 12:12:12 0 d-------- C:\Documents and Settings\Owner\Application Data\CallingID
2008-06-29 12:10:11 0 d-------- C:\WINDOWS\rnapxs
2008-06-25 01:04:55 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-06-23 15:07:25 0 d-------- C:\Documents and Settings\Owner\Application Data\ICAClient
2008-06-23 15:03:10 0 d-------- C:\Program Files\triCerat
2008-06-23 14:58:19 0 d-------- C:\Program Files\ICA
2008-06-18 0036 0 d-------- C:\Program Files\DivX
2008-06-10 09:15:13 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-03 19:32:16 0 d-------- C:\Program Files\iPod
2008-06-03 19:22:59 0 d-------- C:\Program Files\QuickTime
2008-06-03 19:11:30 0 d-------- C:\Program Files\Apple Software Update
2008-06-03 00:50:40 0 d-------- C:\Program Files\Rosetta Stone


-- Find3M Report ---------------------------------------------------------------

2008-06-30 16:31:13 0 d-------- C:\Program Files\CA
2008-06-30 16:22:44 0 d-------- C:\Program Files\Lavasoft
2008-06-30 16:09:10 0 d-------- C:\Program Files\Common Files
2008-06-29 12:10:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 13:33:15 2098 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-25 12:26:03 0 d-------- C:\Program Files\Palm
2008-06-25 10:50:09 0 d-------- C:\Program Files\Audacity
2008-06-25 07:46:47 0 d-------- C:\Program Files\System
2008-06-23 15:02:48 0 d-------- C:\Program Files\Citrix
2008-06-19 15:51:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-10 15:31:34 55040 --a------ C:\deftask.dat
2008-06-03 19:32:35 0 d-------- C:\Program Files\iTunes
2008-06-01 16:18:53 0 d-------- C:\Program Files\VPN Client
2008-06-01 16:18:39 0 d-------- C:\Program Files\Siber Systems
2008-06-01 16:18:37 0 d-------- C:\Program Files\Panicware
2008-06-01 16:18:10 0 d-------- C:\Program Files\Comparator
2008-06-01 16:18:10 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-01 16:17:57 0 d-------- C:\Program Files\Battleship
2008-06-01 16:17:52 0 d-------- C:\Program Files\ATT
2008-06-01 16:17:51 0 d-------- C:\Program Files\AGENTLINK
2008-06-01 16:17:48 0 d-------- C:\Program Files\ACT
2008-05-30 12:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 12:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 12:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 12:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 12:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 12:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 12:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 12:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 12:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-29 11:45:47 4 --a------ C:\WINDOWS\system32\F88264
2008-05-23 14:20:20 0 d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-05-23 13:13:45 0 d-------- C:\Program Files\ATT Self Support
2008-05-19 14:32:57 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-05-11 16:58:21 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-03 18:34:09 0 d-------- C:\Program Files\Yahoo!
2008-05-01 12:50:36 0 d-------- C:\Program Files\Business PlanMaker Professional
2008-04-20 18:03:40 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-20 18:03:40 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-04-08 14:09:38 8224 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdlmx.exe"="C:\WINDOWS\system32\kdlmx.exe" [06/13/2007 05:23 AM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [02/28/2008 12:35 PM]
"RoboForm"="C:\Program Files\Roboform\RoboTaskBarIcon.exe" [03/22/2008 09:38 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"RoboForm"="C:\Program Files\Roboform\RoboTaskBarIcon.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdlmx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=EQDtpSp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morning Offiice Routine.lnk]
backup=C:\WINDOWS\pss\Morning Offiice Routine.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
"C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
"C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Free Clock]
C:\Program Files\Handy Free Clock\HFC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HFC.exe]
C:\Program Files\Handy Free Clock\HFC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KONICA MINOLTA PagePro 1400W STD]
C:\WINDOWS\system32\MSTMON_Y.EXE STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mainstreet login script]
c:\windows\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bbuizu bbuizu


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{995ca3ee-ec35-11db-b9e3-00904bfdd50a}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-07-01 23:35:45 ------------

[tetonbob]

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

If you have any questions along the way, STOP and ask them before proceeding.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix (C:\ComboFix.txt) at the end of this fix.

===============================================

Please download FixWareout from one of these sites:

http://download.bleepingcomputer.com...Fixwareout.exe

http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ) in your next reply.

**If you receive an error message while trying to run FixWareout, copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder, and run FixWareout again.

----------------------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[raynorth]

I've successfully downloaded ComboFix (have not run yet per instructions) but don't have Windows CD (pre-installed) for Recovery Console. When I try to download, I have a new IE window pop up with error message "cannot display webpage".

[tetonbob]

Quote:

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:

Can you access this link? Use the download from it to install the Recovery Console

http://www.microsoft.com/downloads/d...displaylang=en

[raynorth]

Tried link and no go. Same link I tried. I don't get a dialog box about a download, I get another IE window (small little window) that says "cannot be displayed. Can this file I need be zipped and emailed, or posted for download?

[tetonbob]

Do you have another browser such as Firefox or Opera installed already? If so, can you use that to access the link?

Can you download FixWareout?

[raynorth]

I don't have another browser, but could download one if I should. I was able to download Fixwareout. Should I run that before Recovery Console is installed and run?

[tetonbob]

I'd like to see if using a different browser would help you get past the IE blockage of the MS page.

http://www.mozilla.com/en-US/firefox/

http://www.opera.com/

If you run into trouble with installing one of those, go ahead and run FixWareout.

[raynorth]

I had no trouble installing Firefox, but I still could not download the Recovery Console file. I did run Fixwareout and have attached the report.txt file.

I also tried to use Google again and it seems to be working ok.

Should I worry about the Recovery Console at this point? Is there more to do still to clean up?


Username "Owner" - 07/08/2008 14:20:12 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdlmx.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.78 85.255.112.38" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0291FD9C-C142-4648-8C04-4735EB11B28C}
"nameserver"="85.255.113.78,85.255.112.38" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0B22783D-D225-4D84-962C-F2F4058ADF83}
"nameserver"="85.255.113.78,85.255.112.38" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{59B1A4FF-0238-4CF4-A7E8-18869A3B311C}
"nameserver"="85.255.113.78,85.255.112.38" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{737BF0BD-EB76-4A92-AEBC-0A702CD6CA5A}
"nameserver"="85.255.113.78,85.255.112.38" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C54D8892-2B84-4B92-BB87-89E80FAFA921}
"nameserver"="85.255.113.78,85.255.112.38" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{59B1A4FF-0238-4CF4-A7E8-18869A3B311C}
"DhcpNameServer"="85.255.113.78,85.255.112.38" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C54D8892-2B84-4B92-BB87-89E80FAFA921}
"DhcpNameServer"="85.255.113.78,85.255.112.38" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C945CC1B-F4F5-487B-93EB-6A6D52427540}
"DhcpNameServer"="85.255.113.78,85.255.112.38" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdlmx.ren 61440 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\WINDOWS\\system32\\kdlmx.exe"="C:\\WINDOWS\\system32\\kdlmx.exe"
"UfSeAgnt.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\UfSeAgnt.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\\Program Files\\Uniblue\\RegistryBooster 2\\RegistryBooster.exe /S"
"RoboForm"="\"C:\\Program Files\\Roboform\\RoboTaskBarIcon.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

[tetonbob]

Yes, we need to run ComboFix next still.

You should be able to download the file.

Clear your cache...

Clean other Temporary files + Recycle bin

• Go to start > run and type: cleanmgr and click ok.
• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

Then try again to download the file. Let me know.

[tetonbob]

Quote:

Originally Posted by raynorth

When I try to download, I have a new IE window pop up with error message "cannot display webpage".

Just a thought...in recent days, IE 7 had been doing weird things for me. I sometimes get this same page on sites I visit frequently, or sites I've just visited for the first time.

I click on the Back button, and the page I was trying to load, does.

[tetonbob]

Also, see if this link gets you the file

http://www.microsoft.com/downloads/i...otDisk-ENU.exe

[tetonbob]

I edited the link on post # 15.

It's a direct link, and should load for you.

[raynorth]

Doing well...I downloaded the file, ran Combofix, attached the log.txt file here. Next?

ComboFix 08-07-07.3 - Owner 2008-07-08 15:20:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.418 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\g2mdlhlpx.exe
C:\Program Files\NetMeeting\comsin.ini
C:\Program Files\NetMeeting\svchost.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\mkghj.dll
C:\WINDOWS\system32\windows.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-08 14:19 . 2008-07-08 14:36 <DIR> d-------- C:\fixwareout
2008-07-08 14:12 . 2008-07-08 14:13 <DIR> d-------- C:\Program Files\Firefox
2008-07-07 22:35 . 2008-07-08 13:20 <DIR> d-------- C:\Program Files\ComboFix
2008-07-03 08:09 . 2008-07-03 08:09 <DIR> d-------- C:\ie-spyad_zo
2008-07-02 08:09 . 2008-07-03 08:09 <DIR> d-------- C:\Program Files\ZonedOut
2008-07-02 08:04 . 2008-07-02 08:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-02 07:55 . 2008-07-02 08:08 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-02 00:11 . 2008-07-02 00:12 <DIR> d-------- C:\Program Files\Panda Security
2008-07-01 23:31 . 2008-07-01 23:31 <DIR> d-------- C:\Deckard
2008-06-30 17:19 . 2007-12-24 17:37 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-06-30 17:19 . 2007-12-24 17:37 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-06-30 16:46 . 2008-07-01 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-30 14:19 . 2008-07-01 23:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 11:06 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-29 12:12 . 2008-06-30 10:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CallingID
2008-06-29 12:10 . 2008-06-30 16:30 <DIR> d-------- C:\WINDOWS\rnapxs
2008-06-25 01:04 . 2008-06-30 11:06 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-06-23 15:07 . 2008-06-23 16:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ICAClient
2008-06-23 15:03 . 2008-06-23 15:03 <DIR> d-------- C:\Program Files\triCerat
2008-06-23 15:03 . 2007-05-04 14:19 475,136 --a------ C:\WINDOWS\system32\sdclient.cpl
2008-06-23 14:58 . 2008-06-23 14:59 <DIR> d-------- C:\Program Files\ICA
2008-06-18 00:06 . 2008-06-18 00:10 <DIR> d-------- C:\Program Files\DivX
2008-06-10 18:33 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 18:33 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 15:08 --------- d-----w C:\Program Files\Yahoo!
2008-07-07 15:43 --------- d-----w C:\Program Files\Palm
2008-06-30 21:31 --------- d-----w C:\Program Files\CA
2008-06-30 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-06-30 21:22 --------- d-----w C:\Program Files\Lavasoft
2008-06-29 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 18:33 2,098 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-25 15:50 --------- d-----w C:\Program Files\Audacity
2008-06-25 12:46 --------- d-----w C:\Program Files\System
2008-06-23 20:02 --------- d-----w C:\Program Files\Citrix
2008-06-19 20:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-04 00:32 --------- d-----w C:\Program Files\iTunes
2008-06-04 00:32 --------- d-----w C:\Program Files\iPod
2008-06-04 00:24 --------- d-----w C:\Program Files\QuickTime
2008-06-04 00:11 --------- d-----w C:\Program Files\Apple Software Update
2008-06-03 05:50 --------- d-----w C:\Program Files\Rosetta Stone
2008-06-01 21:18 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-01 21:18 --------- d-----w C:\Program Files\VPN Client
2008-06-01 21:18 --------- d-----w C:\Program Files\Siber Systems
2008-06-01 21:18 --------- d-----w C:\Program Files\Panicware
2008-06-01 21:18 --------- d-----w C:\Program Files\Comparator
2008-06-01 21:17 --------- d-----w C:\Program Files\Battleship
2008-06-01 21:17 --------- d-----w C:\Program Files\ATT
2008-06-01 21:17 --------- d-----w C:\Program Files\AGENTLINK
2008-06-01 21:17 --------- d-----w C:\Program Files\ACT
2008-05-30 17:22 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-30 17:22 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-30 17:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-30 17:22 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-30 17:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 17:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-30 17:22 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-30 17:22 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-05-30 17:19 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-23 19:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
2008-05-23 18:35 155,995 ----a-w C:\WINDOWS\java\Packages\UW7LJRFB.ZIP
2008-05-23 18:13 --------- d-----w C:\Program Files\ATT Self Support
2008-05-19 19:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-05-11 21:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-20 23:03 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-04-20 23:03 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-04-15 23:26 595,928 ----a-w C:\Program Files\setup Steel Bldg.exe
2007-01-01 18:18 63 ----a-w C:\Documents and Settings\Owner\audit.dat
2006-09-27 20:25 1,445,888 ----a-w C:\Program Files\WinsockxpFix.exe
2006-03-02 21:36 134 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-11-04 05:54 88 --sh--r C:\WINDOWS\system32\B21105B38A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2008-02-28 12:35 1885464]
"RoboForm"="C:\Program Files\Roboform\RoboTaskBarIcon.exe" [2008-03-22 09:38 160592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Roboform\RoboTaskBarIcon.exe" [2008-03-22 09:38 160592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=EQDtpSp.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morning Offiice Routine.lnk]
backup=C:\WINDOWS\pss\Morning Offiice Routine.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
--a------ 2007-03-28 09:38 1015808 C:\Program Files\ACT\Act for Windows\ActSage.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
--a------ 2007-03-28 09:43 9728 C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Free Clock]
--a------ 2006-01-23 23:31 356352 C:\Program Files\Handy Free Clock\hfc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HFC.exe]
--a------ 2006-01-23 23:31 356352 C:\Program Files\Handy Free Clock\hfc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-07-10 04:13 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-07-10 04:25 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KONICA MINOLTA PagePro 1400W STD]
--a------ 2005-08-21 23:03 184320 C:\WINDOWS\system32\MSTMON_Y.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mainstreet login script]
--a------ 2006-03-14 11:44 147 c:\WINDOWS\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 01:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 22:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
--a------ 2004-05-26 19:57 139264 C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-03-26 19:20 499712 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-03-26 19:20 98304 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16327:TCP"= 16327:TCP:BitComet 16327 TCP
"16327:UDP"= 16327:UDP:BitComet 16327 UDP

R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 10:46]
R2 Canon NetSpot Suite Service;Canon NetSpot Suite Service;C:\Program Files\Canon\VDC\AuVdc.exe [2003-03-11 03:17]
R2 EQSharedEngine;EQ Shared Engine;C:\Program Files\Equitrac\Office\Client\EQSharedEngine.exe [2006-09-06 11:13]
R2 MSSQL$ACT7;SQL Server (ACT7);C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2007-02-10 06:29]
R2 MSSQL$EMMSDE;MSSQL$EMMSDE;C:\Program Files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlservr.exe [2002-12-17 18:26]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 05:29]
R2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [2004-05-21 01:30]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 14:01]
R3 TunRDriverV32;TunRDriverV32;C:\WINDOWS\system32\drivers\TunRDriverV32.sys [2007-08-31 15:09]
R3 TunRVideo32;TunRVideo32;C:\WINDOWS\system32\DRIVERS\TunRVideo32.sys [2007-07-18 15:17]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S2 bbuizu;bbuizu;C:\WINDOWS\system32\svchost.exe [2004-08-04 14:00]
S2 PssInsv;Prints Spoolers Services;C:\Program Files\System\svchost.exe []
S2 ylookuwd;ylookuwd;C:\WINDOWS\system32\drivers\ldnztm.sys []
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-08-17 17:05]
S3 SQLAgent$EMMSDE;SQLAgent$EMMSDE;C:\Program Files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlagent.EXE [2002-12-17 18:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bbuizu REG_MULTI_SZ bbuizu

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{995ca3ee-ec35-11db-b9e3-00904bfdd50a}]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-C:\WINDOWS\system32\kdlmx.exe - C:\WINDOWS\system32\kdlmx.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 15:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\ProtectsStore]
"ImagePath"=""
.
Completion time: 2008-07-08 15:27:45
ComboFix-quarantined-files.txt 2008-07-08 20:27:41

Pre-Run: 34,629,189,632 bytes free
Post-Run: 34,840,195,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

234 --- E O F --- 2008-06-21 05:40:18

[tetonbob]

Out of curiosity, which solution allowed you to download the Recovery Console package?

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/hijackthis-log-help/265575-google-hijacked-results-can-t-reached-post1579883.html#post1579883
   
   Driver::
   bbuizu
   PssInsv
   
   FileLook::
   C:\WINDOWS\system32\snmvtsvc.exe
   
   Registry::
   [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
   "bbuizu"=-
   
   Collect::
   C:\Program Files\System\svchost.exe
   C:\WINDOWS\system32\drivers\ldnztm.sys
   
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------
   
6. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
   
   ---------------------------------------------------------------------------------------------

[raynorth]

I ran everything fine, but the script to submit a file to ComboFix didn't show. Attached are the two txt files. What next?

[tetonbob]

It's possible none of those files were present.

Let's try this once again.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/hijackthis-log-help/265575-google-hijacked-results-can-t-reached.html
   
   Driver::
   ylookuwd
   
   Collect::
   C:\WINDOWS\system32\drivers\ldnztm.sys
   C:\Program Files\System\svchost.exe
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
   
   Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------
   
6. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
   
   ---------------------------------------------------------------------------------------------