Redirect Virus help please!?

[muckycherub]

Hello I've just completed the DDS scan and the gmer scan.

When using Google it redirects to various search engine sites. There are a few ad pop ups and every now and then it goes to a porn site.

I ran spybot search and destroy and it has found a trojan or so and deleted them. I'm incredibly sorry but I can't provide any specific names of the trojans or viruses because I've just been deleting them as I've found them in the hopes of sorting it out because I'm only semi computer literate in these matters.

I think I remember seeing one that was a Schreuberg virus that spybot found and removed...I'm not entirely sure that was the name but it was something along those lines.

I just ran a check now with spybot and it says theres no immediate threats (that it can find anyway, but the problem still exists).

hxxp://smartbizsearch.com/search.php?q=dog+biscuit&sa=5&sid=629088178&p=2
hxxp://www52.searchmirror.com/xtr_new?q=dog+biscuit&sid=629088178&sa=5&p=2

These are a couple of the links that appear in the URL window It's always this kindof 'search' redirect and like I say there has been one porn site that it redirects to but it's potluck what you get in the sense of where it redirects to.






DDS (Version 1.0) - NTFSx86
Run by Janette at 23:22:33.40 on 06/12/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.471 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\Janette\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.hp.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_01\bin\jusched.exe
mRun: [c:\windows\system32\kdnjy.exe] c:\windows\system32\kdnjy.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {90B38C91-DFCC-4AF9-91C5-699F8424A210} = 85.255.112.107;85.255.112.200
TCP: {B6B76477-DFD4-4D1D-BD6A-BF1F8BE707F2} = 85.255.112.107;85.255.112.200
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
R2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2006-4-24 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-31 99376]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081125.004\NAVENG.SYS [2008-11-25 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081125.004\NAVEX15.SYS [2008-11-25 876112]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-20 27904]
S4 FAH@C:+Documents and Settings+Janette+Local Settings+Temporary Internet Files+Content.IE5+2RMJUP63+FAH504-Console[1].exe;FAH@C:+Documents and Settings+Janette+Local Settings+Temporary Internet Files+Content.IE5+2RMJUP63+FAH504-Console[1].exe;c:\documents and settings\janette\local settings\temporary internet files\content.ie5\2rmjup63\FAH504-Console[1].exe -svcstart []

=============== Created Last 30 ================

2008-12-05 19:28 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 19:19 <DIR> --d----- C:\spybot
2008-12-04 18:18 <DIR> --d----- c:\windows\system32\scripting
2008-12-04 18:18 <DIR> --d----- c:\windows\l2schemas
2008-12-04 18:18 <DIR> --d----- c:\windows\system32\en
2008-12-04 18:18 <DIR> --d----- c:\windows\system32\bits
2008-12-04 18:14 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-04 18:11 <DIR> --d----- c:\windows\network diagnostic
2008-12-04 18:06 <DIR> --d----- c:\windows\EHome
2008-12-03 23:54 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-03 23:54 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-03 23:54 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-03 23:54 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 22:46 <DIR> --d----- c:\windows\system32\N360_BACKUP
2008-11-20 21:25 27,904 a------- c:\windows\system32\drivers\ndisprot.sys
2008-11-13 16:10 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys

==================== Find3M ====================

2008-12-04 18:23 86,427 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-26 22:37 93,952 a------- c:\docume~1\janette\applic~1\GDIPFONTCACHEV1.DAT
2008-11-10 00:22 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-10 00:22 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-10 00:22 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-10 00:22 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-24 11:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 16:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-08 10:41 333,824 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 23:22:48.43 ===============


If I can provide you with anymore information please just let me know. I appreciate there may not be a solution I can find on here but I would appreciate any help you could give me!

Kind regards, Beth

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[muckycherub]

Thank you very much for the quick reply!

The log I just got from comboFix:


ComboFix 08-12-06.06 - Janette 2008-12-07 18:05:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511 [GMT 0:00]
Running from: c:\documents and settings\Janette\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\windows\IE4 Error Log.txt
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 23:29 . 2008-12-06 23:39 250 --a------ c:\windows\gmer.ini
2008-12-05 19:28 . 2008-12-05 19:28 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 19:19 . 2008-12-05 19:19 <DIR> d-------- C:\spybot
2008-12-04 18:18 . 2008-12-04 18:18 <DIR> d-------- c:\windows\system32\scripting
2008-12-04 18:18 . 2008-12-04 18:18 <DIR> d-------- c:\windows\system32\en
2008-12-04 18:18 . 2008-12-04 18:18 <DIR> d-------- c:\windows\system32\bits
2008-12-04 18:18 . 2008-12-04 18:18 <DIR> d-------- c:\windows\l2schemas
2008-12-04 18:14 . 2008-12-04 18:19 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-04 18:06 . 2008-12-04 18:06 <DIR> d-------- c:\windows\EHome
2008-12-03 23:54 . 2008-12-03 23:54 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-03 23:54 . 2008-12-03 23:54 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-03 23:54 . 2008-12-03 23:54 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-03 23:54 . 2008-12-03 23:54 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 22:46 . 2008-11-30 22:46 <DIR> d-------- c:\windows\system32\N360_BACKUP
2008-11-20 21:25 . 2008-11-20 21:25 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-13 16:10 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 18:07 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-07 18:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-07 18:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 11:28 --------- d-----w c:\program files\Google
2008-12-01 23:38 --------- d-----w c:\program files\Java
2008-11-26 22:37 93,952 ----a-w c:\documents and settings\Janette\Application Data\GDIPFONTCACHEV1.DAT
2008-11-10 00:22 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-11-10 00:22 60,800 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-11-10 00:22 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-10 00:22 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-10 00:22 --------- d-----w c:\program files\Symantec
2008-11-03 21:35 --------- d-----w c:\program files\Norton 360
2008-10-31 18:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 21:17 --------- d-----w c:\documents and settings\Janette\Application Data\Symantec
2008-10-22 21:13 --------- d-----w c:\program files\Windows Sidebar
2008-10-18 15:50 --------- d-----w c:\documents and settings\Janette\Application Data\Hemera
2008-10-18 15:48 --------- d-----w c:\program files\GSP
2008-10-17 13:31 --------- d-----w c:\documents and settings\Janette\Application Data\AdobeUM
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-08 18:41 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 3:44:06 AM 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^StarBoard simpliWrite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\StarBoard simpliWrite.lnk
backup=c:\windows\pss\StarBoard simpliWrite.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-11-10 20:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-08-01 13:26 233534 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2005-12-22 07:57 405504 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-12-13 15:45 507904 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2005-12-12 10:39 94208 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
--------- 2005-10-11 09:23 1187840 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2006-02-09 08:52 643072 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-08-14 17:39 20066856 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarBoardDriver]
--a------ 2005-11-01 11:47 720896 c:\program files\Hitachi Software Engineering\StarBoard Software\DGBoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"gusvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"FAH@C:+Documents and Settings+Janette+Local Settings+Temporary Internet Files+Content.IE5+2RMJUP63+FAH504-Console[1].exe"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Hitachi Software Engineering\\StarBoard Software\\DigitalBoardManager.exe"=
"c:\\Program Files\\Hitachi Software Engineering\\StarBoard Software\\TRex.exe"=
"c:\\Program Files\\Hitachi Software Engineering\\StarBoard Software\\ZuttoMatte.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2/18/2008 7:37:20 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/31/2008 6:40:57 PM 99376]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [8/22/2005 900 AM 231424]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [1/13/2008 2:32:00 AM 23888]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [11/20/2008 9:25:45 PM 27904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{383321da-dc9c-11dc-b78b-0014a5a429a8}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kdnjy - c:\windows\system32\kdnjy.exe
MSConfigStartUp-SpyHunter - c:\program files\Enigma Software Group\SpyHunter\SpyHunter.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\viewdw32.ocx - O16 -: {84818113-96C5-11D2-BE39-006008BF4DD5}
hxxp://www.scotlandspeople.gov.uk/Viewers/ActiveXControl/viewdw32.ocx
FireFox -: Profile - c:\documents and settings\Janette\Application Data\Mozilla\Firefox\Profiles\xejfiii7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 18:07:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@C:+Documents and Settings+Janette+Local Settings+Temporary Internet Files+Content.IE5+2RMJUP63+FAH504-Console[1].exe]
"ImagePath"="c:\documents and settings\Janette\Local Settings\Temporary Internet Files\Content.IE5\2RMJUP63\FAH504-Console
[1].exe -svcstart"


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@C:+Documents and Settings+Janette+Local Settings+Temporary Internet Files+Content.IE5+2RMJUP63+FAH504-Console[1].exe]
"ImagePath"="c:\documents and settings\Janette\Local Settings\Temporary Internet Files\Content.IE5\2RMJUP63\FAH504-Console
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1180)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-07 18:09:01
ComboFix-quarantined-files.txt 2008-12-07 18:08:36

Pre-Run: 77,398,249,472 bytes free
Post-Run: 77,447,626,752 bytes free

204 --- E O F --- 2008-12-04 18:29:00


Much Love, Beth

[sUBs]

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\drivers\ndisprot.sys
Driver::
Ndisprot
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[muckycherub]

Online Scan Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 11, 2008 17:33:43
Records in database: 1452742
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 58848
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:42:46


File name / Threat name / Threats count
C:\Program Files\Online Services\BTYahoo\HPPre05.msi Infected: not-a-virus:Dialer.Win32.BT.g 1
C:\Qoobox\Quarantine\D\Autorun.inf.vir Infected: Worm.Win32.AutoRun.onp 1
D:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP171\A0044771.inf Infected: Worm.Win32.AutoRun.onp 1

The selected area was scanned.




New Combofix log:

ComboFix 08-12-11.01 - Janette 2008-12-11 20:00:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.500 [GMT 0:00]
Running from: c:\documents and settings\Janette\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Janette\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\ndisprot.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\ndisprot.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISPROT
-------\Service_Ndisprot


((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-06 23:29 . 2008-12-06 23:39 250 --a------ c:\windows\gmer.ini
2008-12-05 19:28 . 2008-12-05 19:28 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 19:19 . 2008-12-05 19:19 <DIR> d-------- C:\spybot
2008-12-04 18:18 . 2008-12-04 18:18 <DIR> d-------- c:\windows\system32\scripting
2008-12-04 18:18 . 2008-12-04 18:18 <DIR> d-------- c:\windows\system32\en
2008-12-04 18:18 . 2008-12-04 18:18 <DIR> d-------- c:\windows\system32\bits
2008-12-04 18:18 . 2008-12-04 18:18 <DIR> d-------- c:\windows\l2schemas
2008-12-04 18:14 . 2008-12-04 18:19 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-04 18:06 . 2008-12-04 18:06 <DIR> d-------- c:\windows\EHome
2008-12-03 23:54 . 2008-12-03 23:54 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-03 23:54 . 2008-12-03 23:54 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-03 23:54 . 2008-12-03 23:54 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-03 23:54 . 2008-12-03 23:54 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 22:46 . 2008-11-30 22:46 <DIR> d-------- c:\windows\system32\N360_BACKUP
2008-11-13 16:10 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 20:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-07 18:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-07 18:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 11:28 --------- d-----w c:\program files\Google
2008-12-01 23:38 --------- d-----w c:\program files\Java
2008-11-26 22:37 93,952 ----a-w c:\documents and settings\Janette\Application Data\GDIPFONTCACHEV1.DAT
2008-11-10 00:22 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-11-10 00:22 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-10 00:22 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-10 00:22 --------- d-----w c:\program files\Symantec
2008-11-03 21:35 --------- d-----w c:\program files\Norton 360
2008-10-31 18:38 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 21:17 --------- d-----w c:\documents and settings\Janette\Application Data\Symantec
2008-10-22 21:13 --------- d-----w c:\program files\Windows Sidebar
2008-10-18 15:50 --------- d-----w c:\documents and settings\Janette\Application Data\Hemera
2008-10-18 15:48 --------- d-----w c:\program files\GSP
2008-10-17 13:31 --------- d-----w c:\documents and settings\Janette\Application Data\AdobeUM
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_18.08.08.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-07-18 21:10:48 94,920 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 14:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2008-04-14 00:12:15 139,264 ----a-w c:\windows\system32\cscript.exe
+ 2008-05-07 09:07:23 135,168 ----a-w c:\windows\system32\cscript.exe
- 2008-07-18 21:10:48 94,920 ----a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 14:09:44 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-05-07 09:07:23 135,168 ------w c:\windows\system32\dllcache\cscript.exe
+ 2008-05-09 10:53:39 512,000 ------w c:\windows\system32\dllcache\jscript.dll
- 2008-04-14 00:12:01 1,306,624 ------w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
+ 2008-05-09 10:53:39 180,224 ------w c:\windows\system32\dllcache\scrobj.dll
+ 2008-05-09 10:53:40 172,032 ------w c:\windows\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53:40 430,080 ------w c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-08 11:24:44 155,648 ------w c:\windows\system32\dllcache\wscript.exe
+ 2008-05-09 10:53:40 90,112 ------w c:\windows\system32\dllcache\wshext.dll
- 2008-07-18 21:09:44 563,912 ----a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 14:12:20 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-18 21:10:42 53,448 ----a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 14:09:44 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-18 21:09:42 1,811,656 ----a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 14:13:40 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-18 21:09:46 325,832 ----a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 14:12:22 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-18 21:10:20 36,552 ----a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 14:08:58 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
- 2008-07-18 21:09:44 205,000 ----a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 14:13:40 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
- 2008-04-14 00:11:56 512,000 ----a-w c:\windows\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w c:\windows\system32\jscript.dll
- 2008-04-14 00:12:01 1,306,624 ------w c:\windows\system32\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 ------w c:\windows\system32\msxml6.dll
- 2008-07-18 21:07:34 270,880 ----a-w c:\windows\system32\mucltui.dll
+ 2008-10-16 1448 268,648 ----a-w c:\windows\system32\mucltui.dll
- 2008-07-18 21:07:32 210,976 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 1448 208,744 ----a-w c:\windows\system32\muweb.dll
- 2008-12-07 17:58:30 64,380 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-11 19:54:21 64,380 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-07 17:58:30 407,538 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-11 19:54:21 407,538 ----a-w c:\windows\system32\perfh009.dat
- 2008-04-14 00:12:05 180,224 ----a-w c:\windows\system32\scrobj.dll
+ 2008-05-09 10:53:39 180,224 ----a-w c:\windows\system32\scrobj.dll
- 2008-04-14 00:12:05 172,032 ----a-w c:\windows\system32\scrrun.dll
+ 2008-05-09 10:53:40 172,032 ----a-w c:\windows\system32\scrrun.dll
+ 2008-10-16 14:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 14:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:08 434,176 ----a-w c:\windows\system32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w c:\windows\system32\vbscript.dll
- 2008-04-14 00:12:41 155,648 ----a-w c:\windows\system32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w c:\windows\system32\wscript.exe
- 2008-04-14 00:12:10 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2008-05-09 10:53:40 90,112 ----a-w c:\windows\system32\wshext.dll
- 2008-07-18 21:09:44 563,912 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 14:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2008-07-18 21:10:42 53,448 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 14:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2008-07-18 21:09:42 1,811,656 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 14:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2008-07-18 21:09:46 325,832 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 14:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2008-07-18 21:10:20 36,552 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 14:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2008-07-18 21:10:40 45,768 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 14:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2008-07-18 21:09:44 205,000 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 14:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
+ 2008-12-11 20:04:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_17c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^StarBoard simpliWrite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\StarBoard simpliWrite.lnk
backup=c:\windows\pss\StarBoard simpliWrite.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-11-10 20:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2005-08-01 13:26 233534 c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2005-12-22 07:57 405504 c:\program files\HPQ\Quick Launch Buttons\eabservr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-12-13 15:45 507904 c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2005-12-12 10:39 94208 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
--------- 2005-10-11 09:23 1187840 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2006-02-09 08:52 643072 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-08-14 17:39 20066856 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarBoardDriver]
--a------ 2005-11-01 11:47 720896 c:\program files\Hitachi Software Engineering\StarBoard Software\DGBoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"gusvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"FAH@C:+Documents and Settings+Janette+Local Settings+Temporary Internet Files+Content.IE5+2RMJUP63+FAH504-Console[1].exe"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Hitachi Software Engineering\\StarBoard Software\\DigitalBoardManager.exe"=
"c:\\Program Files\\Hitachi Software Engineering\\StarBoard Software\\TRex.exe"=
"c:\\Program Files\\Hitachi Software Engineering\\StarBoard Software\\ZuttoMatte.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-31 99376]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-13 23888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{383321da-dc9c-11dc-b78b-0014a5a429a8}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\viewdw32.ocx - O16 -: {84818113-96C5-11D2-BE39-006008BF4DD5}
hxxp://www.scotlandspeople.gov.uk/Viewers/ActiveXControl/viewdw32.ocx
FF - ProfilePath - c:\documents and settings\Janette\Application Data\Mozilla\Firefox\Profiles\xejfiii7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 20:04:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FAH@C:+Documents and Settings+Janette+Local Settings+Temporary Internet Files+Content.IE5+2RMJUP63+FAH504-Console[1].exe]
"ImagePath"="c:\documents and settings\Janette\Local Settings\Temporary Internet Files\Content.IE5\2RMJUP63\FAH504-Console
[1].exe -svcstart"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FAH@C:+Documents and Settings+Janette+Local Settings+Temporary Internet Files+Content.IE5+2RMJUP63+FAH504-Console[1].exe]
"ImagePath"="c:\documents and settings\Janette\Local Settings\Temporary Internet Files\Content.IE5\2RMJUP63\FAH504-Console
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1180)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2008-12-11 20:07:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-11 2048
ComboFix2.txt 2008-12-07 18:09:03

Pre-Run: 77,232,427,008 bytes free
Post-Run: 77,207,908,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

281 --- E O F --- 2008-12-07 23:50:13


The computer is already running a lot faster and the re-directs seem to have stopped for the moment.

Regards, Beth

[sUBs]

Quote:

C:\Program Files\Online Services\BTYahoo\HPPre05.msi Infected: not-a-virus:Dialer.Win32.BT.g 1

This is a false positive. I'm going to ignore it.

Of the stuff Kaspersky found,

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while


----------------------


Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[muckycherub]

Thank you very much for your help!!!!! Everything seems fine and I'm about to look at some of the programs for 'aftercare' so to speak. I'm really very greatful! thanks again muchly!!
Beth