Need help with virus redirecting google

[highergroove]

Hi, I am having a problem where I type in text to search google and it pulls up all the hits, but then, when I try to click on any of the hits, it changes the address bar to : www.tourantolayer.com and various text after that (using versions of search text) and redirects the site either back to google.com or it will be a blnak page that has "Jumping" as the name of the tab. This also happened when I clicked a link in an email.

Here is the DDS info:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 12:00:43.04 on Wed 07/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.385 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k sys
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\SoftDisc\softdisc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [SoftDisc] "c:\program files\softdisc\softdisc.exe" -hide
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\tinywa~1.lnk - c:\program files\watcher\Watcher.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\mky5k4q2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox
FF - component: c:\program files\mozilla firefox\extensions\{01398b87-61af-4ffb-9ab5-1a1c5fb39a9c}\components\DealioToolbarFF.dll
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.11
============= SERVICES / DRIVERS ===============

R1 sysdrv;sysdrv;c:\program files\sys\sys.sys [2009-6-30 9344]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169632]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-12-9 13088]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-2-4 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-2-4 122368]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-18 1119888]
R2 sys;sys;c:\windows\system32\svchost.exe -k sys [2004-8-26 14336]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-2-4 200576]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-2-4 245760]

=============== Created Last 30 ================

2009-07-01 08:08 <DIR> --d----- c:\program files\Trend Micro
2009-06-30 12:28 304,896 a------- c:\windows\sysguard.exe
2009-06-30 12:27 <DIR> --d----- c:\program files\sys
2009-06-30 12:27 2 a------- c:\windows\010112010146118114.dat
2009-06-30 12:27 28,160 ----h--- c:\windows\ld11.exe

==================== Find3M ====================

2009-05-13 09:25 364,544 a------- c:\windows\system32\WDBtnMgr.exe
2009-05-07 11:19 21,192 a------- c:\windows\system32\dopdfmn6.dll
2009-05-07 11:19 18,632 a------- c:\windows\system32\dopdfmi6.dll
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:31 668,160 a------- c:\windows\system32\wininet.dll
2009-04-28 21:31 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-03-16 14:18 52,736 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2006-07-31 08:35 738 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2006-02-23 21:05 2,000,324 a------- c:\program files\cdex_151.exe

[highergroove]

I am using Mozilla but it also does this with Firefox...also, should I have started a thread or post?

[ndmmxiaomayi]

Hi highergroove,

Welcome to Tech Support Forum.

I noticed that you have Symantec and McAfee installed. Have you paid for both programs?

Please visit this page to download and run Combofix - http://www.bleepingcomputer.com/comb...o-use-combofix

Save it to your desktop.

• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will see the following message if Microsoft Windows Recovery Console is not installed.
  
  
  
  With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

[highergroove]

Hi, Thanks for helping me. I did have Norton and McAfee but did not renew (I know, probably what got me into this mess in the first place!) but I do have spybot and Tiny Watcher thanks ti a computer friend of mine.

So, I downloaded combofix and recovery console and ran it but before a log was produced, it starting shutting down my computer to reboot (maybe the log comes up after reboot?) However, it never fully rebooted. It is stuck halfway through (the bar at the bottom) and it was almost an hour and I figured that it was permanently stuck. So, I manually shut it down (held power button) and then rebooted agaoin, but same problem, it is stuck.

Where do I go from here? I can press F2 (utilities), but have no idea what to do from there.

[highergroove]

OK, after several hours and rebooting a 4th time, it rebooted.

Here is the text from the log:

ComboFix 09-07-01.04 - Owner 07/02/2009 8:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.380 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\sys
c:\program files\sys\sys.dll
c:\program files\sys\sys.sys
c:\windows\010112010146118114.dat
c:\windows\Installer\1324b.msi
c:\windows\Installer\26ea46.msi
c:\windows\ld11.exe
c:\windows\sysguard.exe
c:\windows\system32\wbem\proquota.exe
D:\Autorun.inf
D:\Desktop.ini

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP722\A0372640.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYS
-------\Legacy_SYSDRV
-------\Service_sys
-------\Service_sysdrv


((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 15:50 . 2004-08-04 19:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-02 15:50 . 2004-08-04 19:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-01 15:08 . 2009-07-01 15:08 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 19:10 . 2008-11-15 23:44 -------- d-----w- c:\program files\DNA
2009-07-02 19:10 . 2008-11-15 23:44 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-01 01:07 . 2008-03-02 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:30 . 2006-02-04 14:07 -------- d-----w- c:\program files\Google
2009-06-09 19:02 . 2008-01-04 00:28 256 ----a-w- c:\windows\system32\pool.bin
2009-06-03 01:49 . 2008-01-04 23:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2009-05-18 04:43 . 2006-03-31 01:26 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-05-13 18:09 . 2009-05-13 18:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Search Settings
2009-05-13 18:09 . 2009-05-13 18:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Dealio
2009-05-13 17:23 . 2009-05-13 17:23 -------- d-----w- c:\program files\Search Settings
2009-05-13 17:23 . 2009-05-13 17:23 -------- d-----w- c:\program files\Dealio Toolbar
2009-05-13 17:22 . 2009-05-13 17:20 -------- d-----w- c:\program files\Free Audio Pack
2009-05-13 16:45 . 2009-05-13 16:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2009-05-13 16:40 . 2009-05-13 16:40 -------- d-----w- c:\program files\Softland
2009-05-13 16:26 . 2009-05-13 16:26 8854 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2009-05-13 16:26 . 2009-05-13 16:26 40960 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2009-05-13 16:26 . 2009-05-13 16:26 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-05-13 16:26 . 2009-05-13 16:26 -------- d-----w- c:\program files\Western Digital Technologies
2009-05-13 16:25 . 2009-05-13 16:25 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}\ARPPRODUCTICON.exe
2009-05-13 16:25 . 2009-05-13 16:25 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
2009-05-13 01:41 . 2009-05-13 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-05-13 01:41 . 2009-05-13 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\AVS4YOU
2009-05-13 01:41 . 2009-05-13 01:40 -------- d-----w- c:\program files\AVS4YOU
2009-05-13 01:40 . 2009-05-13 01:40 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-07 19:14 . 2009-05-07 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-07 19:14 . 2007-03-28 02:55 -------- d-----w- c:\program files\iTunes
2009-05-07 19:14 . 2007-03-28 02:51 -------- d-----w- c:\program files\iPod
2009-05-07 19:12 . 2009-05-07 19:12 -------- d-----w- c:\program files\Bonjour
2009-05-07 19:11 . 2007-03-28 02:56 -------- d-----w- c:\program files\QuickTime
2009-05-07 19:09 . 2009-01-21 07:40 -------- d-----w- c:\program files\Common Files\Apple
2009-05-07 18:19 . 2009-05-13 16:40 21192 ----a-w- c:\windows\system32\dopdfmn6.dll
2009-05-07 18:19 . 2009-05-13 16:40 18632 ----a-w- c:\windows\system32\dopdfmi6.dll
2009-05-07 15:44 . 2004-08-26 16:11 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-26 16:12 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-02-24 04:05 . 2006-02-24 03:50 2000324 ----a-w- c:\program files\cdex_151.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}]
2009-04-10 03:09 688128 ----a-w- c:\program files\Dealio Toolbar\DealioToolbarIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2004-06-25 147456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-13 700416]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-03 1957888]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-21 180269]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-23 53408]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-08 589824]
"SoftDisc"="c:\program files\SoftDisc\softdisc.exe" [2004-09-02 388608]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2009-04-10 970240]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-05-13 364544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Tiny Watcher Logon Time.lnk - c:\program files\Watcher\Watcher.exe [2006-11-19 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8085:TCP"= 8085:TCP:sys

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2/4/2006 7:00 AM 200576]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\mky5k4q2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox
FF - component: c:\program files\Mozilla Firefox\extensions\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\components\DealioToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.11.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 12:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3762452672-1173523542-119495997-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3600)
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\WLTRAY.EXE
c:\windows\system32\wdfmgr.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-02 12:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 19:15

Pre-Run: 15,273,431,040 bytes free
Post-Run: 15,214,669,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

227 --- E O F --- 2009-06-10 03:05

[highergroove]

And it appears that the virus may be gone too as I can now access hits on google searches. Is there anything you see that might indicate trouble (virus still may be lurking?)

[ndmmxiaomayi]

Hi highergroove,

Everything looks much better now. There isn't much lurking now, but you have some programs installed which has questionable practices.

Please uninstall these programs:

Dealio Toolbar v4.0
Search Settings 1.2.1

After uninstalling these programs, please disable Spybot Teatimer temporarily.

1. Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
5. On the left hand side, click on Tools.
6. Check (tick) this box if it is not yet ticked: Resident.
7. You will notice that Resident is now added under Tools. Click on Resident.
8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
9. Exit Spybot Search & Destroy.
10. Restart your computer for the changes to take effect.

Next, please open Notepad and copy and paste the following in the Code box into Notepad:

Code:

Folder::
c:\documents and settings\Owner\Application Data\Dealio
c:\documents and settings\Owner\Application Data\Search Settings
c:\program files\Search Settings
c:\program files\Dealio Toolbar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchSettings"=-

DeQuarantine::
C:\Qoobox\Quarantine\D\Desktop.ini.vir

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.



Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

[highergroove]

Done!

ComboFix 09-07-01.04 - Owner 07/03/2009 10:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.456 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 15:50 . 2004-08-04 19:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-02 15:50 . 2004-08-04 19:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-01 15:08 . 2009-07-01 15:08 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 17:25 . 2008-11-15 23:44 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-03 17:05 . 2008-11-15 23:44 -------- d-----w- c:\program files\DNA
2009-07-01 01:07 . 2008-03-02 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 15:30 . 2006-02-04 14:07 -------- d-----w- c:\program files\Google
2009-06-09 19:02 . 2008-01-04 00:28 256 ----a-w- c:\windows\system32\pool.bin
2009-06-03 01:49 . 2008-01-04 23:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2009-05-18 04:43 . 2006-03-31 01:26 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-05-13 17:22 . 2009-05-13 17:20 -------- d-----w- c:\program files\Free Audio Pack
2009-05-13 16:45 . 2009-05-13 16:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2009-05-13 16:40 . 2009-05-13 16:40 -------- d-----w- c:\program files\Softland
2009-05-13 16:26 . 2009-05-13 16:26 8854 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2009-05-13 16:26 . 2009-05-13 16:26 40960 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2009-05-13 16:26 . 2009-05-13 16:26 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-05-13 16:26 . 2009-05-13 16:26 -------- d-----w- c:\program files\Western Digital Technologies
2009-05-13 16:25 . 2009-05-13 16:25 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}\ARPPRODUCTICON.exe
2009-05-13 16:25 . 2009-05-13 16:25 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
2009-05-13 01:41 . 2009-05-13 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-05-13 01:41 . 2009-05-13 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\AVS4YOU
2009-05-13 01:41 . 2009-05-13 01:40 -------- d-----w- c:\program files\AVS4YOU
2009-05-13 01:40 . 2009-05-13 01:40 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-07 19:14 . 2009-05-07 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-07 19:14 . 2007-03-28 02:55 -------- d-----w- c:\program files\iTunes
2009-05-07 19:14 . 2007-03-28 02:51 -------- d-----w- c:\program files\iPod
2009-05-07 19:12 . 2009-05-07 19:12 -------- d-----w- c:\program files\Bonjour
2009-05-07 19:11 . 2007-03-28 02:56 -------- d-----w- c:\program files\QuickTime
2009-05-07 19:09 . 2009-01-21 07:40 -------- d-----w- c:\program files\Common Files\Apple
2009-05-07 18:19 . 2009-05-13 16:40 21192 ----a-w- c:\windows\system32\dopdfmn6.dll
2009-05-07 18:19 . 2009-05-13 16:40 18632 ----a-w- c:\windows\system32\dopdfmi6.dll
2009-05-07 15:44 . 2004-08-26 16:11 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2004-08-26 16:12 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-26 16:12 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-26 16:12 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-02-24 04:05 . 2006-02-24 03:50 2000324 ----a-w- c:\program files\cdex_151.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2004-06-25 147456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-13 700416]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-03 1957888]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-23 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-21 180269]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-23 53408]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-08 589824]
"SoftDisc"="c:\program files\SoftDisc\softdisc.exe" [2004-09-02 388608]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-05-13 364544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Tiny Watcher Logon Time.lnk - c:\program files\Watcher\Watcher.exe [2006-11-19 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8085:TCP"= 8085:TCP:sys

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2/4/2006 7:00 AM 200576]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\mky5k4q2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.11.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 10:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3762452672-1173523542-119495997-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(628)
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2009-07-03 10:33
ComboFix-quarantined-files.txt 2009-07-03 17:32
ComboFix2.txt 2009-07-02 19:15

Pre-Run: 15,359,877,120 bytes free
Post-Run: 15,344,025,600 bytes free

163 --- E O F --- 2009-06-10 03:05

[ndmmxiaomayi]

Hi highergroove,

Update Java Runtime Environment (JRE)

Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 14.

1. Click on Start > Control Panel and double click on Add/Remove Programs. Locate J2SE Runtime Environment 5.0 Update 2 and click on Change/Remove to uninstall it.
2. Click here to visit Java's website.
3. Scroll down to JRE 6 Update 14 and click on Download.
4. Select Windows from the drop-down list for Platform.
5. Select Multi-language from the drop-down list for Language.
6. Check (tick) I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement box and click on Continue.
7. Click on jre-6u14-windows-i586.exe link to download it and save this to a convenient location.
8. Run this installation to update your Java.

Run an online scan

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
   
   
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

[highergroove]

here is the log attached

[ndmmxiaomayi]

Hi highergroove,

Please follow this site to clear Java cache - http://java.com/en/download/help/5000020300.xml

Any other issues?

[highergroove]

No, thank you so much for all of your help! I am unemployed and buying a new computer would have really hit me hard! Thanks again!

[ndmmxiaomayi]

Glad to hear that!

We no longer require Combofix. Please uninstall it.

Remove Combofix

Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.

Quote:

I did have Norton and McAfee but did not renew (I know, probably what got me into this mess in the first place!) but I do have spybot and Tiny Watcher thanks ti a computer friend of mine.

Both Spybot and Tiny Watcher are good protection programs, but they protect your computer against different threats.

You will still require an antivirus program. But before installing an antivirus program, you will need to remove both Norton and McAfee.

• Norton Removal Tool for removal of Norton.
  
  
• McAfee Removal Tool for the removal of McAfee.

Here are two free and good antivirus programs. Please only install ONE on your computer.

AntiVir Free Edition
RISING FREE Antivirus

Here are some prevention tips.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, please refer to this website to learn how to secure Internet Explorer 6.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

1. Spyware Blaster
   SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.
   
   You can download SpywareBlaster from Javacool.
   
   If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.
   
   
2. SpywareGuard
   Just as an antivirus program scans a file for viruses before opening it, SpywareGuard does the same thing, except that it scans it for spywares.
   
   You can download SpywareGuard from Javacool.
   
   If you need help in using SpywareGuard, you can SpywareGuard's tutorial at Bleeping Computer.
   
   Before downloading any anti-spyware programs, always check Malwarebytes MalwareNET and Bleeping Computer. This will save you from a lot of trouble. If in doubt, don't ever download it.

Here are some more things to read about:

Greater email safety
Phishing - what is it?