Browser Hijacked with redirects

[atb0826]

For the passed couple of days both of my browsers, firefox 3.5 & Internet Explorer 8 have been constantly redirected whenever I click on search links from google or just links from websites which I know are safe. The only way I can get around this is if I right click & "copy link location" and then paste into the address bar. Here, following, is the DDS log.



DDS (Ver_09-06-26.01) - NTFSx86
Run by Anthony at 2:29:14.76 on Wed 07/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2957 [GMT -5:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\GIGABYTE\GEST\GSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ESET\nod32kui.exe
C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GEST] c:\program files\gigabyte\gest\RUN.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245485468453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\temp\9989059365mxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-6-20 15424]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-30 353672]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-6-20 549256]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\GSvr.exe [2009-6-20 47624]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-6-20 33792]
S3 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]

=============== Created Last 30 ================

2009-07-07 05:11 <DIR> --d----- c:\docume~1\anthony\applic~1\Malwarebytes
2009-07-07 05:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 05:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-07 04:55 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-07-07 04:43 <DIR> --d----- c:\program files\CleanUp!
2009-07-07 04:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-07 04:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-05 19:53 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2009-07-05 19:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-07-05 19:53 <DIR> --d----- c:\program files\Diskeeper Corporation
2009-07-02 00:47 <DIR> --d----- c:\program files\avi.NET
2009-07-01 20:47 <DIR> --d----- c:\program files\MSXML 4.0
2009-07-01 04:46 <DIR> --d----- c:\docume~1\anthony\applic~1\Zoner
2009-07-01 04:45 <DIR> --d----- c:\program files\Zoner
2009-07-01 03:35 <DIR> --d----- c:\docume~1\anthony\applic~1\NewSoft
2009-06-30 13:04 <DIR> --d----- c:\program files\common files\NewSoft
2009-06-30 13:03 <DIR> --d----- c:\program files\common files\PDFView
2009-06-30 13:03 <DIR> --d----- c:\program files\NewSoft
2009-06-30 13:02 <DIR> --d----- c:\program files\common files\ScanSoft Shared
2009-06-30 13:02 <DIR> --d----- c:\program files\ScanSoft
2009-06-30 13:01 <DIR> --d----- c:\program files\common files\CANON
2009-06-30 12:56 <DIR> --d----- c:\program files\Canon
2009-06-30 11:45 <DIR> --d----- c:\program files\Zone Labs
2009-06-29 14:28 <DIR> --d----- c:\docume~1\anthony\applic~1\MakeitOne
2009-06-29 14:27 <DIR> --d----- c:\program files\MakeitOne
2009-06-27 22:53 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-06-27 04:54 <DIR> --d----- c:\docume~1\anthony\applic~1\dBpoweramp
2009-06-27 02:25 <DIR> --d----- c:\docume~1\anthony\applic~1\AccurateRip
2009-06-27 02:25 <DIR> --d----- c:\program files\Illustrate
2009-06-26 19:44 <DIR> --d----- c:\program files\Veetle
2009-06-23 00:44 <DIR> --d----- c:\program files\PS3 Media Server
2009-06-22 15:57 <DIR> --d----- c:\program files\LibUSB-Win32-0.1.10.1
2009-06-21 05:16 <DIR> --d----- c:\docume~1\anthony\applic~1\Xbins
2009-06-21 04:21 <DIR> --d----- c:\program files\SI Calendar 2009
2009-06-21 04:18 <DIR> --d----- c:\program files\Red Kawa
2009-06-21 04:17 <DIR> --d----- c:\program files\QuickPar
2009-06-21 04:03 <DIR> --d----- c:\program files\Audio Phonics, Inc
2009-06-21 04:02 <DIR> --d----- c:\documents and settings\anthony\WINDOWS
2009-06-21 02:30 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-06-21 01:24 <DIR> --d----- c:\program files\iPod
2009-06-21 01:24 <DIR> --d----- c:\program files\iTunes
2009-06-21 01:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 01:24 <DIR> --d----- c:\program files\Bonjour
2009-06-21 00:56 <DIR> --d----- c:\program files\VideoLAN
2009-06-21 00:25 <DIR> --d----- c:\program files\Xvid
2009-06-21 00:22 <DIR> --d----- c:\docume~1\anthony\applic~1\Pegasys Inc
2009-06-21 00:22 <DIR> --d----- c:\program files\Pegasys Inc
2009-06-20 23:50 <DIR> --d----- c:\docume~1\anthony\applic~1\iriverter
2009-06-20 23:39 <DIR> --d----- c:\program files\iriverter
2009-06-20 23:39 <DIR> --d----- c:\docume~1\anthony\applic~1\Outertech
2009-06-20 23:39 <DIR> --d----- c:\program files\GetDiz
2009-06-20 23:38 <DIR> --d----- c:\program files\FLAC
2009-06-20 23:22 <DIR> --d----- c:\program files\ffdshow
2009-06-20 23:20 <DIR> --d----- c:\program files\TVersity Codec Pack
2009-06-20 23:18 <DIR> --d----- c:\program files\TVersity
2009-06-20 22:35 <DIR> --d----- c:\program files\SlySoft
2009-06-20 22:31 <DIR> --d----- c:\program files\abgx360
2009-06-20 22:04 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{DC840DBC-2CB0-4FEA-98ED-F4E3BD2970C7}
2009-06-20 22:04 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{F19A02B4-1684-448C-B152-43B554F2E722}
2009-06-20 22:04 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{E18C8A94-0667-4A02-B59B-9CB3A8F22628}
2009-06-20 22:04 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83FC5D7A-8875-4931-80D6-1E3AC725D336}
2009-06-20 22:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-06-20 21:41 <DIR> --d----- c:\docume~1\anthony\applic~1\uniblue
2009-06-20 21:40 <DIR> --d----- c:\program files\Uniblue
2009-06-20 21:22 <DIR> --d----- c:\docume~1\anthony\applic~1\NewsBin
2009-06-20 21:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NewsBin
2009-06-20 21:22 <DIR> --d----- c:\program files\NewsBin
2009-06-20 21:20 <DIR> --d----- c:\docume~1\anthony\applic~1\COWON
2009-06-20 20:04 <DIR> --d----- c:\docume~1\anthony\applic~1\foobar2000
2009-06-20 20:03 <DIR> --d----- c:\program files\foobar2000
2009-06-20 20:00 <DIR> --d----- c:\program files\DVD-RB PRO
2009-06-20 20:00 <DIR> --d----- c:\program files\AviSynth 2.5
2009-06-20 19:59 <DIR> --d----- c:\program files\Custom Technology
2009-06-20 19:31 <DIR> --d----- c:\program files\uTorrent
2009-06-20 19:31 <DIR> --d----- c:\docume~1\anthony\applic~1\uTorrent
2009-06-20 19:06 <DIR> --d----- c:\program files\Dream Aquarium
2009-06-20 18:57 <DIR> --d----- c:\program files\common files\COWON
2009-06-20 18:57 <DIR> --d----- c:\program files\JetAudio
2009-06-20 18:55 <DIR> --d----- c:\docume~1\anthony\applic~1\Roni Music
2009-06-20 18:54 <DIR> --d----- c:\program files\Roni Music
2009-06-20 18:50 <DIR> --d----- c:\program files\Siber Systems
2009-06-20 18:39 <DIR> --d----- c:\program files\ESET
2009-06-20 04:45 <DIR> --d----- c:\program files\Elaborate Bytes
2009-06-20 04:44 <DIR> --d----- c:\program files\DVD Decrypter
2009-06-20 04:43 <DIR> --d----- c:\program files\Eraser
2009-06-20 04:20 <DIR> --dsh--- c:\documents and settings\anthony\PrivacIE
2009-06-20 04:19 <DIR> --dsh--- c:\documents and settings\anthony\IETldCache
2009-06-20 03:10 <DIR> --dsh--- c:\documents and settings\anthony\UserData
2009-06-20 03:00 <DIR> --d----- c:\program files\GIGABYTE
2009-06-20 02:51 <DIR> --d----- c:\program files\Realtek
2009-06-19 23:34 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-19 23:34 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-19 23:33 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-19 23:32 <DIR> --d----- c:\program files\Online Services
2009-06-19 23:32 <DIR> --d----- c:\program files\Messenger
2009-06-19 23:32 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-19 23:31 <DIR> --d----- c:\program files\Windows NT
2009-06-19 18:27 <DIR> --d----- c:\program files\common files\ODBC
2009-06-19 18:27 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-19 18:27 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================


============= FINISH: 2:31:06.90 ===============

[CatByte]

Hi,

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[atb0826]

Hi CatByte and let me say thanks in advance for your help. Well I can't seem to download combofix.exe from any of the three links you have posted previously. My internet is working fine otherwise, besides the redirecting issue but when I click any of the links it just tells me "Firefox can't find the server at forums.whatthetech.com." I even tried on a seperate laptop to no avail. I also tried searching on google but with the same results. Please advise what my next step should be. Thanks

[CatByte]

Hi, I think there was a temporary issue with the links earlier...please try this link

>> HERE<<

It should work fine now.

[atb0826]

HI. I was able to download Combofix but I have a new problem. I have NOD32 anti-virus. I was able to find one process in windows task manager & disable it but when I run Combofix it tells me that NOD32 is still running. I don't know if there is a process that I'm missing & not disabling or if it's some sort of system service that is running in the background. Should I uninstall NOD32 while I run Combofix or do you have another work around?

[CatByte]

Hi, this is the information I have for disabling Nod...if you cannot diable it...best to uninstall then reinstall when the computer is clean, just stay off the internet until the computer is clean and Nod is reinstalled. Thanks

• Open the main program window by clicking the ESET icon next to the system clock or by clicking Start → All Programs → ESET → ESET Smart Security or ESET NOD32 Antivirus.
• Click Setup → Temporarily disable Antivirus and antispyware protection.
• Click Yes when you are prompted to confirm this action.

NOTE: Please immediately re-enable Antivirus and antispyware protection by clicking Setup → Enable Antivirus and antispyware protection after troubleshooting or installing other software applications.
(Antivirus and antispyware protection will be turned on automatically if your computer is restarted).

[atb0826]

Here is the Combofix log


ComboFix 09-07-08.04 - Anthony 07/09/2009 19:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3171 [GMT -5:00]
Running from: c:\documents and settings\Anthony\Desktop\ComboFix.exe
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\drivers\hjgruixvorsnao.sys
c:\windows\system32\hjgruikbgompwm.dll
c:\windows\system32\hjgruincocbpye.dat
c:\windows\system32\hjgruivaiwcclv.dat
c:\windows\system32\hjgruiyklyixst.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruijylnhyuj
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 20:51 . 2009-07-09 20:51 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-09 05:31 . 2009-07-09 05:31 152576 ----a-w- c:\documents and settings\Anthony\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-08 21:58 . 2009-07-08 21:58 -------- d-----w- c:\program files\CDisplay
2009-07-07 10:11 . 2009-07-07 10:11 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes
2009-07-07 10:11 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 10:11 . 2009-07-08 08:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 10:11 . 2009-07-07 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 10:11 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 09:55 . 2009-07-07 09:55 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-07 09:43 . 2009-07-07 09:43 -------- d-----w- c:\program files\CleanUp!
2009-07-07 09:29 . 2009-07-07 09:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-07 09:20 . 2009-07-08 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 09:20 . 2009-07-07 09:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-07 04:39 . 2009-07-07 04:39 -------- d--h--w- c:\windows\PIF
2009-07-06 01:06 . 2009-07-06 02:09 -------- d-sh--w- C:\Diskeeper
2009-07-06 00:53 . 2009-07-06 00:53 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-07-06 00:53 . 2009-07-06 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-07-06 00:53 . 2009-07-06 00:53 -------- d-----w- c:\program files\Diskeeper Corporation
2009-07-02 16:06 . 2009-07-02 16:06 194048 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-02 05:47 . 2009-07-02 05:47 -------- d-----w- c:\program files\avi.NET
2009-07-02 04:13 . 2009-07-02 04:13 -------- d-----w- c:\documents and settings\Anthony\Application Data\Media Player Classic
2009-07-02 01:47 . 2009-07-02 01:47 -------- d-----w- c:\program files\MSXML 4.0
2009-07-01 09:46 . 2009-07-01 09:47 -------- d-----w- c:\documents and settings\Anthony\Application Data\Zoner
2009-07-01 09:45 . 2009-07-01 09:45 -------- d-----w- c:\program files\Zoner
2009-07-01 09:33 . 2007-02-20 21:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-07-01 09:33 . 2007-02-20 21:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2009-07-01 08:35 . 2009-07-01 08:35 -------- d-----w- c:\documents and settings\Anthony\Application Data\NewSoft
2009-07-01 08:34 . 2009-07-01 08:34 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\NewSoft
2009-07-01 08:00 . 2009-07-01 18:47 -------- d-----w- c:\documents and settings\Anthony\Application Data\Canon
2009-06-30 18:08 . 2007-05-22 05:00 80896 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MX700 series Printer\LanguageModules\0411\CNMlr95.dll
2009-06-30 18:08 . 2007-05-22 05:00 76288 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MX700 series Printer\LanguageModules\0409\CNMsr95.dll
2009-06-30 18:08 . 2007-05-22 05:00 43520 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MX700 series Printer\LanguageModules\0411\CNMsr95.dll
2009-06-30 18:08 . 2007-05-22 05:00 361472 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MX700 series Printer\LanguageModules\0409\CNMur95.dll
2009-06-30 18:08 . 2007-05-22 05:00 265728 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MX700 series Printer\LanguageModules\0411\CNMur95.dll
2009-06-30 18:08 . 2007-05-22 05:00 145408 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MX700 series Printer\LanguageModules\0409\CNMlr95.dll
2009-06-30 18:04 . 1997-10-14 10:19 11776 ----a-w- c:\windows\system32\pmsbfn32.dll
2009-06-30 18:04 . 2009-06-30 18:04 -------- d-----w- c:\program files\Common Files\NewSoft
2009-06-30 18:03 . 2009-06-30 18:03 -------- d-----w- c:\program files\Common Files\PDFView
2009-06-30 18:03 . 2009-06-30 18:03 -------- d-----w- c:\program files\NewSoft
2009-06-30 18:03 . 2009-06-30 18:03 -------- d-----w- c:\windows\system32\Color
2009-06-30 18:02 . 2009-06-30 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-30 18:02 . 2009-06-30 18:02 -------- d-----w- c:\documents and settings\Anthony\Application Data\ScanSoft
2009-06-30 18:02 . 2009-06-30 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-06-30 18:02 . 2009-06-30 18:02 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-06-30 18:02 . 2009-06-30 18:02 -------- d-----w- c:\program files\ScanSoft
2009-06-30 18:01 . 2009-06-30 18:01 -------- d-----w- c:\program files\Common Files\CANON
2009-06-30 17:57 . 2009-06-30 17:57 -------- d--h--w- c:\program files\CanonBJ
2009-06-30 17:57 . 2007-05-14 15:49 142336 ----a-w- c:\windows\system32\CNMNPUI.DLL
2009-06-30 17:57 . 2007-05-14 15:49 362496 ----a-w- c:\windows\system32\CNMNPPM.DLL
2009-06-30 17:56 . 2009-06-30 18:09 -------- d-----w- c:\program files\Canon
2009-06-30 16:59 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-29 19:28 . 2009-06-29 19:28 -------- d-----w- c:\documents and settings\Anthony\Application Data\MakeitOne
2009-06-29 19:27 . 2009-06-29 19:27 664 ----a-w- c:\windows\system32\SpoonUninstall-MakeitOne MP3 Album Maker.dat
2009-06-29 19:27 . 2009-06-29 19:27 -------- d-----w- c:\program files\MakeitOne
2009-06-28 03:58 . 2006-10-27 00:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-06-28 03:57 . 2009-06-28 03:57 -------- d-----w- c:\program files\Microsoft Works
2009-06-28 03:55 . 2009-06-28 03:55 -------- d-----w- c:\program files\Microsoft.NET
2009-06-28 03:53 . 2009-06-28 03:54 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-28 03:53 . 2009-06-28 03:56 -------- d-----w- c:\windows\SHELLNEW
2009-06-28 03:53 . 2009-06-28 03:53 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\Microsoft Help
2009-06-28 03:53 . 2009-06-28 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-28 03:52 . 2009-06-28 03:52 -------- d--h--r- C:\MSOCache
2009-06-27 09:54 . 2009-06-27 09:54 -------- d-----w- c:\documents and settings\Anthony\Application Data\dBpoweramp
2009-06-27 09:51 . 2009-06-27 09:51 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-06-27 09:50 . 2009-06-27 09:50 3283 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Musepack Codec.dat
2009-06-27 09:49 . 2009-06-27 09:49 3411 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Shorten Codec.dat
2009-06-27 09:49 . 2009-06-27 09:49 2649 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Midi Decoder.dat
2009-06-27 09:48 . 2009-07-07 09:55 -------- d-----w- c:\windows\system32\drivers\umdf
2009-06-27 09:46 . 2009-06-27 09:46 3400 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2009-06-27 09:46 . 2009-06-27 09:46 1259 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4b Audio book Encoder.dat
2009-06-27 09:42 . 2009-06-27 09:42 2863 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Tag From Filename] Codec.dat
2009-06-27 09:42 . 2009-06-27 09:42 2894 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [ReplayGain] Codec.dat
2009-06-27 09:42 . 2009-06-27 09:42 2996 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Multi Encoder] Codec.dat
2009-06-27 09:42 . 2009-06-27 09:42 2993 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Channel Split] Codec.dat
2009-06-27 09:42 . 2009-06-27 09:42 2856 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Length Split] Codec.dat
2009-06-27 09:42 . 2009-06-27 09:42 2830 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [ID Tag Update] Codec.dat
2009-06-27 09:41 . 2009-06-27 09:41 2865 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Audio Info] Codec.dat
2009-06-27 09:41 . 2009-06-27 09:41 2873 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Arrange Audio] Codec.dat
2009-06-27 09:40 . 2009-06-27 09:41 10999 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2009-06-27 09:40 . 2009-06-27 09:40 14639 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-06-27 08:01 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-06-27 08:01 . 2008-04-13 18:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-06-27 08:00 . 2008-04-13 18:46 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2009-06-27 08:00 . 2008-04-13 18:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-06-27 08:00 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2009-06-27 08:00 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-06-27 08:00 . 2008-04-13 18:46 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2009-06-27 08:00 . 2008-04-13 18:46 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2009-06-27 08:00 . 2009-01-21 20:54 1206816 ----a-w- c:\windows\RtkUpd.exe
2009-06-27 08:00 . 2009-02-20 23:12 3729280 ----a-w- c:\windows\system32\drivers\RtKHDMI.sys
2009-06-27 08:00 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-06-27 08:00 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2009-06-27 07:59 . 2008-04-13 18:46 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2009-06-27 07:59 . 2008-04-13 18:46 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2009-06-27 07:59 . 2008-04-13 18:46 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2009-06-27 07:59 . 2008-04-13 18:46 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2009-06-27 07:59 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-06-27 07:59 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-06-27 07:57 . 2009-06-27 07:57 2837016 ----a-w- c:\documents and settings\Anthony\Application Data\uniblue\DriverScanner\Download\pci_ven_8086_dev_29469_1_1_1013.exe
2009-06-27 07:57 . 2009-06-27 07:57 16668058 ----a-w- c:\documents and settings\Anthony\Application Data\uniblue\DriverScanner\Download\hdaudio_func_01_ven_1002_dev_aa015_10_0_5796.exe
2009-06-27 07:56 . 2009-06-27 07:56 31579304 ----a-w- c:\documents and settings\Anthony\Application Data\uniblue\DriverScanner\Download\usb_vid_054c_pid_02681_0_0_378.EXE
2009-06-27 07:27 . 2009-06-27 07:27 1844 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.dat
2009-06-27 07:27 . 2009-06-27 07:27 1224 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Wave64 Codec.dat
2009-06-27 07:26 . 2009-06-27 07:26 2228 ----a-w- c:\windows\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
2009-06-27 07:26 . 2009-06-27 07:26 11473 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.dat
2009-06-27 07:26 . 2009-06-27 07:26 1206 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Dalet Codec.dat
2009-06-27 07:26 . 2009-06-27 07:26 3008 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp WavPack Codec.dat
2009-06-27 07:26 . 2009-06-27 07:26 3061 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2009-06-27 07:26 . 2009-06-27 07:26 3153 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2009-06-27 07:26 . 2009-06-27 07:26 3107 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2009-06-27 07:26 . 2009-06-27 07:26 2987 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-06-27 07:26 . 2009-06-27 07:26 2843 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
2009-06-27 07:25 . 2009-06-27 07:25 -------- d-----w- c:\documents and settings\Anthony\Application Data\AccurateRip
2009-06-27 07:25 . 2009-06-29 19:27 131584 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-27 07:25 . 2009-06-27 07:25 -------- d-----w- c:\program files\Illustrate
2009-06-27 02:06 . 2009-06-27 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-06-27 00:44 . 2009-06-27 00:44 -------- d-----w- c:\program files\Veetle
2009-06-24 23:53 . 2009-06-24 23:53 48640 ----a-w- C:\dse.exe
2009-06-24 07:29 . 2009-06-24 07:42 -------- d-----w- c:\documents and settings\Anthony\Application Data\ImgBurn
2009-06-24 07:17 . 2009-06-26 06:41 -------- d-----w- c:\documents and settings\Anthony\Application Data\dvdcss
2009-06-23 20:40 . 2009-06-23 20:40 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\Help
2009-06-23 05:44 . 2009-07-09 05:28 -------- d-----w- c:\program files\PS3 Media Server
2009-06-22 20:57 . 2009-06-22 20:57 -------- d-----w- c:\program files\LibUSB-Win32-0.1.10.1
2009-06-22 10:03 . 2009-07-09 05:20 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\QuickPar
2009-06-22 05:28 . 2009-06-22 05:30 -------- d-----w- c:\documents and settings\Brandy\Application Data\uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 09:09 . 2009-07-08 09:09 179364 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_08_04_04_04_small.dmp.zip
2009-07-08 09:09 . 2009-07-08 09:09 200267 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_08_04_03_14_small.dmp.zip
2009-07-08 08:57 . 2009-07-08 08:57 179814 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_08_03_47_32_small.dmp.zip
2009-07-08 08:57 . 2009-07-08 08:57 159915 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_08_03_45_43_small.dmp.zip
2009-07-08 08:57 . 2009-07-08 08:57 161494 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_08_03_45_01_small.dmp.zip
2009-07-08 08:57 . 2009-07-08 08:57 211183 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_08_03_44_09_small.dmp.zip
2009-07-07 10:40 . 2009-07-07 10:40 161135 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_07_05_35_33_small.dmp.zip
2009-07-07 10:40 . 2009-07-07 10:40 196419 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_07_05_34_54_small.dmp.zip
2009-07-07 09:46 . 2009-06-20 09:45 0 --sh--w- c:\windows\S027F261E.tmp
2009-07-07 09:24 . 2009-07-07 09:22 55506533 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_07_07_04_16_58_full.dmp.zip
2009-07-07 09:17 . 2009-07-07 09:17 2098176 ----a-w- c:\windows\Internet Logs\xDBDE0A.tmp
2009-07-06 00:37 . 2009-07-06 00:37 197680 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_07_04_21_18_35_small.dmp.zip
2009-07-05 02:18 . 2009-07-06 00:32 83456 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-07-05 02:18 . 2009-07-06 00:32 2056192 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-07-04 19:26 . 2009-07-04 19:26 758272 ----a-w- c:\windows\Internet Logs\xDB148.tmp
2009-07-04 19:19 . 2009-07-04 19:23 20992 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-07-04 19:19 . 2009-07-04 19:23 2054656 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-07-04 19:17 . 2009-07-04 19:18 2054144 ----a-w- c:\windows\Internet Logs\xDB603D.tmp
2009-07-04 19:16 . 2009-07-04 19:16 2936832 ----a-w- c:\windows\Internet Logs\xDB5FB8.tmp
2009-07-02 05:47 . 2009-06-20 04:39 70480 ----a-w- c:\documents and settings\Anthony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-30 17:58 . 2009-06-30 17:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-06-30 16:45 . 2009-06-30 16:45 -------- d-----w- c:\program files\Zone Labs
2009-06-21 04:50 . 2009-06-21 04:50 -------- d-----w- c:\documents and settings\Anthony\Application Data\iriverter
2009-06-21 01:02 . 2009-06-21 01:02 18176 ----a-w- c:\windows\system32\Pvt.tmp
2009-06-20 08:34 . 2009-06-20 04:34 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-20 04:46 . 2009-06-20 04:46 97248 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-06-20 04:46 . 2009-06-20 04:46 -------- d-----w- c:\program files\Common Files\Acronis
2009-06-20 04:46 . 2009-06-20 04:46 -------- d-----w- c:\program files\Acronis
2009-06-20 04:34 . 2009-06-20 04:34 -------- d-----w- c:\program files\microsoft frontpage
2009-06-20 04:32 . 2009-06-20 04:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-05 18:57 . 2009-06-05 18:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-13 05:15 . 2004-08-04 04:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-04 04:56 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 03:17 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 04:56 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="c:\program files\GIGABYTE\GEST\RUN.exe" [2007-12-14 236040]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBay Countdown.url]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eBay Countdown.url
backup=c:\windows\pss\eBay Countdown.urlCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Anthony\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R3 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [6/20/2009 3:00 AM 47624]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [6/20/2009 4:38 PM 33792]
S3 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/7/2009 5:11 AM 38160]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\8zu8dgql.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-10 19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 00:49

Pre-Run: 66,224,054,272 bytes free
Post-Run: 66,145,882,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

343 --- E O F --- 2009-07-02 01:47

[atb0826]

Accidentally double posted Combofix log...Sorry

[CatByte]

Hi,

Please do the following:

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include[list][*]MBAM Log[*]Kaspersky report

[atb0826]

Malwarebytes' Anti-Malware 1.38
Database version: 2402
Windows 5.1.2600 Service Pack 3

7/10/2009 3:27:19 AM
mbam-log-2009-07-10 (03-27-19).txt

Scan type: Quick Scan
Objects scanned: 101493
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 07:11:35
Records in database: 2454193
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Files scanned: 148769
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:55:38


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruikbgompwm.dll.vir Infected: Trojan.Win32.Monder.cqbi 1

The selected area was scanned.

[CatByte]

Hi,

You are clean, the item found by Kaspersky is in quarantine, which we will clean up now.

Please do the following:

You can delete the DDS and GMER folders from your desktop.

NEXT

Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an addon available for both Firefox and IE
  
  
• For Firefox, I highly recommend this add-on to keep your PC even more secure.
  • NoScript - for blocking ads and other potential website attacks
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
  Think Prevention.
  PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

[atb0826]

All is well & clean many thanks to you. I appreciate all your help & advice. I have read over your recommendations among others on this site & have instituted a multitude of them. Thank you for your help. :-)

[CatByte]

you are more than welcome

stay safe

~CB