Google redirecting search results

[blackjava]

When I do a search in google, the results on the seach page are being redirected to another site other than what is shown.
Here are my files. I tried to run GMER but after 2 1/2 hours it still hadn't finished so I stopped it. If I need it I will try again after you review this.
Thanks

Bob Tyndall

DDS (Ver_09-02-01.01) - NTFSx86
Run by Robert Tyndall at 11:30:35.03 on 09-03-13
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.585 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\Twain_32\USB2.0Camera\SnapTrap.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert Tyndall\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.blackjava.ca/
uDefault_Page_URL = hxxp://www.blackjava.ca
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.blackjava.ca
mStart Page = hxxp://www.blackjava.ca
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {7F61B912-EC15-6A4D-8457-25D4B1D2F5E7} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: Microsoft CommBand: {4d5c8c2a-d075-11d0-b416-00c04fb90376} - %SystemRoot%\System32\browseui.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {2751F3AD-5600-44CC-A653-8A24CAE5AF6D} - No File
TB: {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No File
TB: {3FE20A68-5F78-4CF1-A941-3AAA55DE4C9D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [STICAP] c:\windows\twain_32\usb2.0camera\SnapTrap.exe
dRunOnce: [SRUUninstall] "c:\windows\system32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
IE: &Add animation to IncrediMail Style Box
IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
Trusted Zone: blackjava-coffee.com
Trusted Zone: critical-delivery.com
Trusted Zone: ryze.com
Trusted Zone: spurl.net
Trusted Zone: wordpress.org
Trusted Zone: www.blackjava-coffee
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {45E9CD65-4B2B-4999-BBA5-FFE249CC219D} - hxxp://www.liveconferencepro.com/ghosts/conference.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
LSA: Notification Packages = :\windows\SYSTE

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\mwokfpmw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackjava-coffee.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - HiddenExtension: XUL Cache: {69D756A6-A9AE-4663-96B5-2E2D428208FF} - c:\documents and settings\robert tyndall\local settings\application data\{69D756A6-A9AE-4663-96B5-2E2D428208FF}

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://hubpages.com/
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-10-25 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-15 64160]
R1 AluriaFilter;AluriaFilter;c:\windows\system32\drivers\AlurFltr.sys [2005-4-29 45056]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-25 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-25 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-25 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-15 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-15 298264]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
R3 SQTECH930B;USB 2.0 PC CAMERA;c:\windows\system32\drivers\Capt930b.sys [2009-2-25 247325]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-02-25 15:06 696,320 a------- c:\windows\SnapShow.exe
2009-02-25 15:06 247,325 a------- c:\windows\system32\drivers\Capt930b.sys
2009-02-25 15:06 15,340 a------- c:\windows\930TwCfg.INI
2009-02-25 15:06 8,714 a------- c:\windows\930TwSrc.src
2009-02-25 15:06 24,966 a------- c:\windows\system32\drivers\Camd930b.sys
2009-02-25 15:06 45,056 a------- c:\windows\system32\930ExV21.ax
2009-02-18 11:23 <DIR> --d----- c:\program files\QuickTax 2008
2009-02-15 21:37 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-15 20:55 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-15 20:48 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}

==================== Find3M ====================

2009-03-13 08:08 6,030 a------- c:\docume~1\robert~1\applic~1\wklnhst.dat
2009-02-21 13:28 95,952 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-15 09:16 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-15 09:16 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-15 09:16 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-15 09:16 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-19 02:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 02:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 22:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 22:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-13 14:54 60,744 a------- c:\documents and settings\robert tyndall\g2mdlhlpx.exe
2008-08-06 16:46 95,952 a------- c:\docume~1\robert~1\applic~1\GDIPFONTCACHEV1.DAT
2007-12-20 08:31 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2005-03-17 09:14 13 ----h--- c:\docume~1\alluse~1\applic~1\13.sys
2005-01-23 20:23 1,689 a------- c:\program files\INSTALL.LOG
2004-08-19 18:00 784 a------- c:\docume~1\robert~1\applic~1\mpauth.dat
2006-01-10 15:03 406,433 ---sh--- c:\windows\system32\jjllm.bak2
2006-01-10 15:03 406,795 ---sh--- c:\windows\system32\jjllm.ini2

============= FINISH: 11:31:20.18 ===============

[Billy O'Neal]

Hello, blackjava
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

• In the meantime, please refrain from making any changes to your computer.
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Finally, please reply using the button in the lower left hand corner of your screen.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

Quote:

I tried to run GMER but after 2 1/2 hours it still hadn't finished so I stopped it. If I need it I will try again after you review this.

We can try this backup but I doubt it will be any faster.

We Need to check for Rootkits with RootRepeal

1. Download RootRepeal from the following location and save it to your desktop:
   • RootRepeal
2. Extract RootRepeal.exe from the zip archive.
3. Open on your desktop.
4. Click the tab.
5. Click the button.
6. Check all six boxes:
7. Push Ok
8. Check the box for your main system drive (Usually C:), and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

In your next reply, please include the following:

• RootRepeal Log

Billy3

[blackjava]

Hi Billy
Thanks for the info. I will try to upload that file tomorrow.

Bob

[blackjava]

Hi Billy

I tried running Rootrepeal but It won't open.
I get this report.
ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00406e46
Attempt to read from address: 0x181f0240

I will try running GMER in the morning.

Bob

[Billy O'Neal]

Hello, blackjava
Alright... please give this one a shot then :)

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author:

How to run ComboFix:

1. Please download ComboFix from one of the following mirrors, and save it to your desktop.
   • This is a mirror.
   • This is another mirror.
   • This is yet another mirror.
2. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
3. Double click on your desktop.
4. Read and accept (Press Yes) to the disclaimer.
5. For Windows XP Systems: Install the Recovery Console:
   • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
   • When prompted to accept the EULA, press OK.
   • Accept Microsoft's EULA (Press Yes).
   • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
6. ComboFix will run. Simply wait for it to finish.
7. When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)

NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:

• ComboFix.txt

Billy3

[blackjava]

Hi Billy

That worked ok so here is the log.

I am also attatching ARK.zip, although for the time it took to generate there doesn't seem to be much in it :)

ComboFix 09-03-13.02 - Robert Tyndall 2009-03-14 8:09:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.764 [GMT -7:00]
Running from: c:\documents and settings\Robert Tyndall\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\_003613_.tmp.dll
c:\windows\system32\_003614_.tmp.dll
c:\windows\system32\_003615_.tmp.dll
c:\windows\system32\_003616_.tmp.dll
c:\windows\system32\_003623_.tmp.dll
c:\windows\system32\_003624_.tmp.dll
c:\windows\system32\_003625_.tmp.dll
c:\windows\system32\_003627_.tmp.dll
c:\windows\system32\_003628_.tmp.dll
c:\windows\system32\_003631_.tmp.dll
c:\windows\system32\_003632_.tmp.dll
c:\windows\system32\_003634_.tmp.dll
c:\windows\system32\_003635_.tmp.dll
c:\windows\system32\_003636_.tmp.dll
c:\windows\system32\_003638_.tmp.dll
c:\windows\system32\_003641_.tmp.dll
c:\windows\system32\_003642_.tmp.dll
c:\windows\system32\_003646_.tmp.dll
c:\windows\system32\_003647_.tmp.dll
c:\windows\system32\_003649_.tmp.dll
c:\windows\system32\_003652_.tmp.dll
c:\windows\system32\_003654_.tmp.dll
c:\windows\system32\_003655_.tmp.dll
c:\windows\system32\_003656_.tmp.dll
c:\windows\system32\_003657_.tmp.dll
c:\windows\system32\_003660_.tmp.dll
c:\windows\system32\_003661_.tmp.dll
c:\windows\system32\_003662_.tmp.dll
c:\windows\system32\_003663_.tmp.dll
c:\windows\system32\_003664_.tmp.dll
c:\windows\system32\_003669_.tmp.dll
c:\windows\system32\_003671_.tmp.dll
c:\windows\system32\_006896_.tmp.dll
c:\windows\system32\_006897_.tmp.dll
c:\windows\system32\_006898_.tmp.dll
c:\windows\system32\_006899_.tmp.dll
c:\windows\system32\_006906_.tmp.dll
c:\windows\system32\_006907_.tmp.dll
c:\windows\system32\_006908_.tmp.dll
c:\windows\system32\_006910_.tmp.dll
c:\windows\system32\_006911_.tmp.dll
c:\windows\system32\_006914_.tmp.dll
c:\windows\system32\_006915_.tmp.dll
c:\windows\system32\_006917_.tmp.dll
c:\windows\system32\_006918_.tmp.dll
c:\windows\system32\_006919_.tmp.dll
c:\windows\system32\_006921_.tmp.dll
c:\windows\system32\_006924_.tmp.dll
c:\windows\system32\_006925_.tmp.dll
c:\windows\system32\_006929_.tmp.dll
c:\windows\system32\_006930_.tmp.dll
c:\windows\system32\_006932_.tmp.dll
c:\windows\system32\_006935_.tmp.dll
c:\windows\system32\_006937_.tmp.dll
c:\windows\system32\_006938_.tmp.dll
c:\windows\system32\_006939_.tmp.dll
c:\windows\system32\_006940_.tmp.dll
c:\windows\system32\_006943_.tmp.dll
c:\windows\system32\_006944_.tmp.dll
c:\windows\system32\_006945_.tmp.dll
c:\windows\system32\_006946_.tmp.dll
c:\windows\system32\_006947_.tmp.dll
c:\windows\system32\_006952_.tmp.dll
c:\windows\system32\_006954_.tmp.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\FTPx.dll
c:\windows\SYSTEM32\jjllm.bak2
c:\windows\system32\jjllm.ini2
c:\windows\SYSTEM32\jjllm.tmp
c:\windows\system32\MabryObj.dll
c:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-11 12:16 . 2009-03-11 12:17 1,374 --a------ c:\windows\imsins.BAK
2009-02-25 15:06 . 2005-02-04 10:00 696,320 --a------ c:\windows\SnapShow.exe
2009-02-25 15:06 . 2005-01-26 10:27 247,325 --a------ c:\windows\SYSTEM32\DRIVERS\Capt930b.sys
2009-02-25 15:06 . 2004-12-29 11:13 45,056 --a------ c:\windows\SYSTEM32\930ExV21.ax
2009-02-25 15:06 . 2004-11-05 15:38 24,966 --a------ c:\windows\SYSTEM32\DRIVERS\Camd930b.sys
2009-02-25 15:06 . 2005-03-01 11:02 15,340 --a------ c:\windows\930TwCfg.INI
2009-02-25 15:06 . 2005-02-23 17:33 8,714 --a------ c:\windows\930TwSrc.src
2009-02-25 08:37 . 2009-02-25 08:37 <DIR> d-------- c:\program files\Common Files\Skype
2009-02-18 11:23 . 2009-03-09 12:35 <DIR> d-------- c:\program files\QuickTax 2008
2009-02-15 21:37 . 2009-03-03 20:57 15,688 --a------ c:\windows\SYSTEM32\lsdelete.exe
2009-02-15 20:55 . 2009-03-03 20:56 64,160 --a------ c:\windows\SYSTEM32\DRIVERS\Lbd.sys
2009-02-15 20:48 . 2009-02-15 20:48 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 04:25 --------- d-----w c:\documents and settings\Robert Tyndall\Application Data\Skype
2009-03-13 23:19 6,030 ----a-w c:\documents and settings\Robert Tyndall\Application Data\wklnhst.dat
2009-03-10 19:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-10 19:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 19:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 19:17 --------- d-----w c:\program files\Spyware Doctor
2009-03-10 19:13 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-25 22:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-25 22:02 --------- d-----w c:\documents and settings\Robert Tyndall\Application Data\skypePM
2009-02-25 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-25 15:37 --------- d-----r c:\program files\Skype
2009-02-18 18:24 --------- d-----w c:\documents and settings\Robert Tyndall\Application Data\Intuit Canada
2009-02-18 18:22 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-02-16 03:48 --------- d-----w c:\program files\Lavasoft
2009-02-09 15:19 --------- d-----w c:\program files\IncrediMail
2009-01-30 19:31 --------- d-----w c:\program files\Winamp
2009-01-29 19:17 --------- d-----w c:\documents and settings\Robert Tyndall\Application Data\Winamp
2009-01-22 18:34 --------- d-----w c:\program files\Google
2009-01-15 19:25 --------- d-----w c:\program files\Web CEO
2009-01-15 16:17 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-15 16:16 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-15 16:16 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-15 16:16 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-10-13 21:54 60,744 ----a-w c:\documents and settings\Robert Tyndall\g2mdlhlpx.exe
2008-08-06 23:46 95,952 ----a-w c:\documents and settings\Robert Tyndall\Application Data\GDIPFONTCACHEV1.DAT
2007-12-20 15:31 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-03-17 16:14 13 ---h--w c:\documents and settings\All Users\Application Data\13.sys
2004-08-20 01:00 784 ----a-w c:\documents and settings\Robert Tyndall\Application Data\mpauth.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-13 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-15 1601304]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-03 515416]
"STICAP"="c:\windows\Twain_32\USB2.0Camera\SnapTrap.exe" [2004-11-05 155648]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\System32\msiexec.exe" [2005-03-21 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-15 09:16 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncrediMail_Install.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Nvu\\nvu.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2008-10-25 12552]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2009-02-15 64160]
R1 AluriaFilter;AluriaFilter;c:\windows\SYSTEM32\DRIVERS\AlurFltr.sys [2005-04-29 45056]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-10-25 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-10-25 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-15 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-15 298264]
R3 SQTECH930B;USB 2.0 PC CAMERA;c:\windows\SYSTEM32\DRIVERS\Capt930b.sys [2009-02-25 247325]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\A4BF043E9184BA1A.job
- c:\docume~1\robert~1\applic~1\freespam\for great proc.exe []

2009-03-14 c:\windows\Tasks\A4CC52A49193CE28.job
- c:\progra~1\freespam\for great proc.exe []

2009-03-14 c:\windows\Tasks\A7760A3E918586A6.job
- c:\docume~1\robert~1\applic~1\freespam\for great proc.exe []

2009-03-14 c:\windows\Tasks\A8525EB49191DABC.job
- c:\docume~1\robert~1\applic~1\freespam\for great proc.exe []

2009-03-14 c:\windows\Tasks\AA1B7AF39190EF0B.job
- c:\docume~1\robert~1\applic~1\freespam\for great proc.exe []

2009-03-13 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 20:55]

2009-03-14 c:\windows\Tasks\B29A705090FE1E04.job
- c:\docume~1\robert~1\applic~1\freespam\for great proc.exe []

2009-03-14 c:\windows\Tasks\B9F434A2935BDCE2.job
- c:\docume~1\robert~1\applic~1\freespam\for great proc.exe []

2008-06-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{7F61B912-EC15-6A4D-8457-25D4B1D2F5E7} - (no file)
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blackjava.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.blackjava.ca
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Add animation to IncrediMail Style Box
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: blackjava-coffee.com
Trusted Zone: critical-delivery.com
Trusted Zone: ryze.com
Trusted Zone: spurl.net
Trusted Zone: wordpress.org
Trusted Zone: www.blackjava-coffee
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\QuickTax 2008\ic2008pp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {45E9CD65-4B2B-4999-BBA5-FFE249CC219D} - hxxp://www.liveconferencepro.com/ghosts/conference.cab
FF - ProfilePath - c:\documents and settings\Robert Tyndall\Application Data\Mozilla\Firefox\Profiles\mwokfpmw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackjava-coffee.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://hubpages.com/
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 08:15:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\lxczcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\windows\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2009-03-14 8:24:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 15:23:57

Pre-Run: 60,016,984,064 bytes free
Post-Run: 59,916,509,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

309 --- E O F --- 2009-03-13 23:20:08

[Billy O'Neal]

Hello, blackjava
We need to re-run ComboFix with some additonal directives.

1. Please disable any running anti-virus programs.

   If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
4. Open notepad and copy/paste the text in the quotebox below into it:
   
   Code:

   folder::
   c:\docume~1\robert~1\applic~1\freespam
   file::
   c:\documents and settings\All Users\Application Data\ezsid.dat
   c:\documents and settings\All Users\Application Data\13.sys
   c:\documents and settings\Robert Tyndall\Application Data\mpauth.dat
   c:\windows\Tasks\A4BF043E9184BA1A.job
   c:\windows\Tasks\A4CC52A49193CE28.job
   c:\windows\Tasks\A7760A3E918586A6.job
   c:\windows\Tasks\A8525EB49191DABC.job
   c:\windows\Tasks\AA1B7AF39190EF0B.job
   c:\windows\Tasks\B29A705090FE1E04.job
   c:\windows\Tasks\B9F434A2935BDCE2.job
   c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
   DDS::
   Trusted Zone: ryze.com
   Trusted Zone: spurl.net

5. Save this as CFScript.txt, in the same location as ComboFix.exe
6. 
   Refering to the picture above, drag CFScript into ComboFix.exe
7. When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:

• ComboFix.txt

Billy3

[blackjava]

ComboFix 09-03-13.02 - Robert Tyndall 2009-03-14 1819.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.801 [GMT -7:00]
Running from: c:\documents and settings\Robert Tyndall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert Tyndall\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\13.sys
c:\documents and settings\All Users\Application Data\ezsid.dat
c:\documents and settings\Robert Tyndall\Application Data\mpauth.dat
c:\windows\Tasks\A4BF043E9184BA1A.job
c:\windows\Tasks\A4CC52A49193CE28.job
c:\windows\Tasks\A7760A3E918586A6.job
c:\windows\Tasks\A8525EB49191DABC.job
c:\windows\Tasks\AA1B7AF39190EF0B.job
c:\windows\Tasks\B29A705090FE1E04.job
c:\windows\Tasks\B9F434A2935BDCE2.job
c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13.sys
c:\documents and settings\All Users\Application Data\ezsid.dat
c:\documents and settings\Robert Tyndall\Application Data\mpauth.dat
c:\windows\Tasks\A4BF043E9184BA1A.job
c:\windows\Tasks\A4CC52A49193CE28.job
c:\windows\Tasks\A7760A3E918586A6.job
c:\windows\Tasks\A8525EB49191DABC.job
c:\windows\Tasks\AA1B7AF39190EF0B.job
c:\windows\Tasks\B29A705090FE1E04.job
c:\windows\Tasks\B9F434A2935BDCE2.job

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-11 12:16 . 2009-03-11 12:17 1,374 --a------ c:\windows\imsins.BAK
2009-02-25 15:06 . 2005-02-04 10:00 696,320 --a------ c:\windows\SnapShow.exe
2009-02-25 15:06 . 2005-01-26 10:27 247,325 --a------ c:\windows\SYSTEM32\DRIVERS\Capt930b.sys
2009-02-25 15:06 . 2004-12-29 11:13 45,056 --a------ c:\windows\SYSTEM32\930ExV21.ax
2009-02-25 15:06 . 2004-11-05 15:38 24,966 --a------ c:\windows\SYSTEM32\DRIVERS\Camd930b.sys
2009-02-25 15:06 . 2005-03-01 11:02 15,340 --a------ c:\windows\930TwCfg.INI
2009-02-25 15:06 . 2005-02-23 17:33 8,714 --a------ c:\windows\930TwSrc.src
2009-02-25 08:37 . 2009-02-25 08:37 <DIR> d-------- c:\program files\Common Files\Skype
2009-02-18 11:23 . 2009-03-09 12:35 <DIR> d-------- c:\program files\QuickTax 2008
2009-02-15 21:37 . 2009-03-03 20:57 15,688 --a------ c:\windows\SYSTEM32\lsdelete.exe
2009-02-15 20:55 . 2009-03-03 20:56 64,160 --a------ c:\windows\SYSTEM32\DRIVERS\Lbd.sys
2009-02-15 20:48 . 2009-02-15 20:48 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 01:09 --------- d-----w c:\documents and settings\Robert Tyndall\Application Data\Skype
2009-03-14 19:52 6,030 ----a-w c:\documents and settings\Robert Tyndall\Application Data\wklnhst.dat
2009-03-10 19:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-10 19:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 19:17 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 19:17 --------- d-----w c:\program files\Spyware Doctor
2009-03-10 19:13 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-25 22:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-25 22:02 --------- d-----w c:\documents and settings\Robert Tyndall\Application Data\skypePM
2009-02-25 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-25 15:37 --------- d-----r c:\program files\Skype
2009-02-18 18:24 --------- d-----w c:\documents and settings\Robert Tyndall\Application Data\Intuit Canada
2009-02-18 18:22 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit Canada
2009-02-16 03:48 --------- d-----w c:\program files\Lavasoft
2009-02-09 15:19 --------- d-----w c:\program files\IncrediMail
2009-02-09 10:19 1,846,272 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 10:19 1,846,272 ----a-w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-01-30 19:31 --------- d-----w c:\program files\Winamp
2009-01-29 19:17 --------- d-----w c:\documents and settings\Robert Tyndall\Application Data\Winamp
2009-01-22 18:34 --------- d-----w c:\program files\Google
2009-01-17 04:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2009-01-15 19:25 --------- d-----w c:\program files\Web CEO
2009-01-15 16:17 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-15 16:16 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-15 16:16 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-15 16:16 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-15 16:16 10,520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll
2008-12-19 09:10 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-10-13 21:54 60,744 ----a-w c:\documents and settings\Robert Tyndall\g2mdlhlpx.exe
2008-08-06 23:46 95,952 ----a-w c:\documents and settings\Robert Tyndall\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-13 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-15 1601304]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-03 515416]
"STICAP"="c:\windows\Twain_32\USB2.0Camera\SnapTrap.exe" [2004-11-05 155648]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\System32\msiexec.exe" [2005-03-21 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-15 09:16 10520 c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncrediMail_Install.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Nvu\\nvu.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2008-10-25 12552]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2009-02-15 64160]
R1 AluriaFilter;AluriaFilter;c:\windows\SYSTEM32\DRIVERS\AlurFltr.sys [2005-04-29 45056]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-10-25 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-10-25 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-15 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-15 298264]
R3 SQTECH930B;USB 2.0 PC CAMERA;c:\windows\SYSTEM32\DRIVERS\Capt930b.sys [2009-02-25 247325]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
.
Contents of the 'Scheduled Tasks' folder

2009-03-13 c:\windows\Tasks\Ad-Aware Update (Daily).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 20:55]

2008-06-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.blackjava.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.blackjava.ca
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Add animation to IncrediMail Style Box
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: blackjava-coffee.com
Trusted Zone: critical-delivery.com
Trusted Zone: wordpress.org
Trusted Zone: www.blackjava-coffee
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\QuickTax 2008\ic2008pp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {45E9CD65-4B2B-4999-BBA5-FFE249CC219D} - hxxp://www.liveconferencepro.com/ghosts/conference.cab
FF - ProfilePath - c:\documents and settings\Robert Tyndall\Application Data\Mozilla\Firefox\Profiles\mwokfpmw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackjava-coffee.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://hubpages.com/
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 18:09:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-03-14 18:13:06
ComboFix-quarantined-files.txt 2009-03-15 01:12:00
ComboFix2.txt 2009-03-14 15:24:30

Pre-Run: 59,932,045,312 bytes free
Post-Run: 59,910,754,304 bytes free

214 --- E O F --- 2009-03-13 23:20:08

[Billy O'Neal]

Hello, blackjava
Much better :) How are things running?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

I would like us to use ESET (NOD32)'s Online Scanner

1. Please go to ESET OnlineScan (NOD32)
2. You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
3. Now click Start
4. Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
5. Click Start
   • Note: (the Onlinescanner will now prepare itself for running on your pc)
6. To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
7. Press Scan
8. The Onlinescan will now start and scan your pc (this could take a while)
9. When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
10. Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
11. The Scanresults will now open in Notepad
12. Click into the text area, right-click and chose "select all" (or use <Control>+A)
13. Right-click again and chose "Copy" (or <Control>+C)
14. Close/Exit Notepad
15. Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:

• ESET OnlineScan's Log

Billy3

[blackjava]

Well, it only took 4 hours to get this:)

One thing I noticed this morning was that one of the redirects was done by google ads doublclick which apparently is from google tool bar. Might be time to dump it.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3937 (20090314)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=b67967ac1105bf47ab161aa1e1fc9d54
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-16 01:55:03
# local_time=2009-03-15 06:55:03 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=282753
# found=0
# scan_time=13146

[Billy O'Neal]

Hello, blackjava
Yep :) You appear to be clean at this point. We do have a few housekeeping chores left though...

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista

1. Click the "Start Menu" (or Windows Orb)
2. Click "All Programs"
3. Click "Windows Update"
4. On the left, choose "Change Settings"
5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
6. Press OK and accept the UAC prompt.
   Note: You shouldn't need to check this checkbox every single time you update, only the first time.
7. Click "Check for Updates" in the upper left corner.
8. Follow the instructions to install the latest updates.
9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install

Billy3

[blackjava]

Hi Billy

Thanks for your help. Generally my computer is set to automatically update. I will check and see if I am missing any XP updates. Hopefully I won't have any more redirects. As I said earlier, it could be google that is doing this. If I see any more googlead doubleclick their toolbar is history. ( don't really need it any way )

Take care

[Billy O'Neal]

You don't have Windows XP SP3 installed. That's the main update I'm concerned about at this point.

Billy3

[blackjava]

Hi Billy

I have the latest updates and I've set my computer to auto update so I should be fine now. Don't know yet if I have any redirect problems.

Thanks again for your help

[Billy O'Neal]

Hello, blackjava
Congratulations! You now appear clean!

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix

1. Please go to Start -> Run
2. Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
   
3. Press OK (Or hit enter).
4. Allow ComboFix to remove itself.

We Need to Clean Up Our Mess

1. Please download OTCleanIt from one of the following mirrors and save it to your desktop:
   • Mirror 1
   • Mirror A
2. Double click the icon.
3. Push the large "Cleanup" button.
4. Allow your system to reboot.

Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   If you are using Windows XP or earlier
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   If you are using Windows Vista
   1. Click the "Start Menu" (or Windows Orb)
   2. Click "All Programs"
   3. Click "Windows Update"
   4. On the left, choose "Change Settings"
   5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
   6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
   7. Click "Check for Updates" in the upper left corner.
   8. Follow the instructions to install the latest updates.
   9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Billy3

[blackjava]

Hi Billy

I think we're good to go. I'm going to try Malware Byte's anti spyware. I already use SuperAntiSpyware.

When I tried to remove the ComboFix /u it wasn't found.
Thanks

Bob

[Billy O'Neal]

Did you already delete the icon from your desktop? To run /u, CF needs to be in the same location it was first run.

Billy3

[blackjava]

Actually I did. I also did a search and deleted all reference to it.
Would there be anything left on the hard drive?

Bob

[Billy O'Neal]

Hello, blackjava

Quote:

Would there be anything left on the hard drive?

Yes... but OTCleanIt should get the majority of the leftovers. On the other hand, if you use OTCI to remove CF, you should manually reset system restore, using these instructions:

Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.

1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Billy3

[blackjava]

Well, unfortunatly, after all the work done, nothing has changed. I am still getting redirects. I have scanned my computer with a multitude of ant-spyware programs. Nothing seems to know what it is.

I find it hard to believe that there is no one out there who doesn't know what company or program is the cause of this redirect.

Why is it so hard to figure this out?