Hi there,

I am having this re-direct problem. Here's the HijackThis Log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:58:05, on 08/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Belkin Wireless Client Utility.lnk = C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4495 bytes

Thanks in advance!
IvanReshe

Hi and Welcome,

NOTE:

• Malware removal is NOT instantaneous, most infections require more than one round to properly eradicate.
• Absence of symptoms does not always mean the job is complete, you can be certain that I will advise you when the computer is clean.
• Kindly follow my instructions in the order posted.
• Please DO NOT run any scans or fix items without my direction.

Please do the following:

STEP #1

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.



STEP #2



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Thanks. Here they are -

DDS.txt


DDS (Ver_09-06-26.01) - NTFSx86
Run by User at 13:31:43.98 on 08/07/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1229 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\dds.pif

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d9050\Belkinwcui.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\7dns1ypu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-27 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-27 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-27 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-28 298776]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2009-6-26 81832]

=============== Created Last 30 ================


==================== Find3M ====================

2009-07-01 09:17 604 a---h--- c:\program files\STLL Notifier
2009-06-28 09:06 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 09:06 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-04 15:07 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-04 15:07 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-06-01 07:46 129,784 -------- c:\windows\system32\pxafs.dll
2009-06-01 07:46 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-01 07:46 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-06-01 07:46 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-06-01 07:46 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-06-01 07:46 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-26 16:08 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-05-26 16:06 22,328 a------- c:\docume~1\user\applic~1\PnkBstrK.sys
2009-05-26 16:05 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-05-20 15:44 72,929 a------- c:\windows\DIIUnin.dat
2009-05-20 15:43 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-05-20 15:43 17,212 a------t c:\windows\system32\SIntf32.dll
2009-05-20 15:43 12,067 a------t c:\windows\system32\SIntf16.dll
2009-05-20 15:37 94,208 a------- c:\windows\DIIUnin.exe
2009-05-20 15:37 2,829 a------- c:\windows\DIIUnin.pif
2009-05-17 18:46 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-05-03 17:13 499,712 a------- c:\windows\system32\msvcp71.dll
2009-05-03 17:13 348,160 a------- c:\windows\system32\msvcr71.dll
2009-05-01 09:11 249,856 -------- c:\windows\Setup1.exe
2009-05-01 09:11 73,216 a------- c:\windows\ST6UNST.EXE
2009-04-20 13:20 4,608 a------- c:\windows\system32\w95inf32.dll
2009-04-20 13:20 2,272 a------- c:\windows\system32\w95inf16.dll
2009-04-09 22:25 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 13:32:10.59 ===============

Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/11/2009 7:37:09 PM
System Uptime: 7/8/2009 8:21:58 AM (5 hours ago)

Motherboard: FUJITSU SIEMENS | | D2480-A1
Processor: Intel® Pentium® 4 CPU 3.20GHz | U23 | 3200/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 4.128 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP94: 6/29/2009 11:44:42 AM - System Checkpoint
RP95: 6/30/2009 1:37:49 PM - System Checkpoint
RP96: 7/1/2009 9:13:27 AM - Installed Sibelius 6
RP97: 7/1/2009 9:27:07 AM - Removed Sibelius 6
RP98: 7/2/2009 9:44:51 AM - System Checkpoint
RP99: 7/5/2009 10:20:18 AM - System Checkpoint
RP100: 7/6/2009 1:39:05 PM - System Checkpoint
RP101: 7/8/2009 9:34:40 AM - System Checkpoint

==== Installed Programs ======================

µTorrent
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe CSI CS4
Adobe Dreamweaver CS4
Adobe ExtendScript Toolkit CS4
Adobe Flash Player 10 Plugin
Adobe Premiere Elements 7.0
Adobe Premiere Elements 7.0 Templates
Adobe Reader 9.1.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Update Manager CS4
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 8.5
AviSynth 2.5
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Belkin Wireless G Plus MIMO USB Network Adapter
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
Choice Guard
Connect
Diablo II
DivX Web Player
ffdshow [rev 2527] [2008-12-19]
Graboid Video 1.5
Hero Editor V0.96
HijackThis 2.0.2
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 13
K-Lite Codec Pack 4.7.5 (Full)
kuler
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
MasterWriter 2.0
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.11)
MSVCRT
Player
PunkBuster Services
Quake Live Mozilla Plugin
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Recuva (remove only)
Segoe UI
Skins
Software Update for Web Folders
Sony Ericsson Device Data
Sony Ericsson Drivers
Sony Ericsson PC Suite
Sorenson Video 3
Spotify
Suite Shared Configuration CS4
Switch Sound File Converter
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6d
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinSCP 4.2.1 beta
WinUHA 2.0 RC1 (2005.02.27)
Zip Motion Block Video codec (Remove Only)

==== Event Viewer Messages From Past Week ========

7/2/2009 3:41:24 PM, error: ati2mtag [43034] - Unknown EDID version

==== End Of File ===========================

GMER.txt

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-08 16:40:52
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


Cheers.
IvanReshe

Hi,

please do the following:

Please download HostsXpert

• Unzip HostsXpert to it's own folder in a convenient place such as C:\HostsXpert
• Run: HostsXpert.exe
• Click: Make Writable? in the upper left corner.
• Click: Restore MS Hosts File
• Click: Replace
• Click: OK
• Click: Make ReadOnly
• Close HostsXpert.

NEXT

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

Please download Malwarebytes' Anti-Malware

• Double Click mbam-setup.exe to install the application.
• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• MBAM Log
• Kaspersky report

Kapersky Online Scanner didn't work for me. I got these messages in the console.

Program is starting. Please wait...
Update source selected: http://www.kaspersky.com
Downloading file: packages/kos-extras.jar
Program has started.

Program database is being updated. Please wait...
Update source selected: ftp://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads5.kaspersky-labs.com
Update source selected: http://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads3.kaspersky-labs.com
Update source selected: http://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads1.kaspersky-labs.com
Update source selected: ftp://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads4.kaspersky-labs.com
Update source selected: ftp://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads2.kaspersky-labs.com
Update source selected: ftp://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads3.kaspersky-labs.com
Update source selected: http://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads2.kaspersky-labs.com
Update source selected: http://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads5.kaspersky-labs.com
Update source selected: http://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads4.kaspersky-labs.com
Update source selected: ftp://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to resolve source DNS name: downloads1.kaspersky-labs.com


Here is the MBAM report - problem is still here by the way.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

08/07/2009 17:55:45
mbam-log-2009-07-08 (17-55-45).txt

Scan type: Quick Scan
Objects scanned: 85609
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d37327f5-14bd-4d53-9ae0-395b96a8af67}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d37327f5-14bd-4d53-9ae0-395b96a8af67}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{d37327f5-14bd-4d53-9ae0-395b96a8af67}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.191 85.255.112.181 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Thanks.

Hi,

Please do the following:

Download Combofix from any of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2



During the download, rename Combofix to Combo-Fix as follows:





--------------------------------------------------------------------

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.

• Double click on Combo-Fix.exe & follow the prompts.
  
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
  
  **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  
  
  
  -----------------------------------------------------------
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------

ComboFix

ComboFix 09-07-08.07 - User 09/07/2009 14:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1254 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\2cc92b.msi
c:\windows\Installer\48beff.msi
c:\windows\kb913800.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-08 16:43 . 2009-07-08 16:43 -------- d-----w- C:\HostsExpert
2009-07-08 07:57 . 2009-07-08 07:57 -------- d-----w- c:\program files\Trend Micro
2009-07-06 08:10 . 2009-07-06 08:10 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-07-06 08:09 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 08:09 . 2009-07-06 08:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 08:09 . 2009-07-06 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 08:09 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 13:02 . 2009-07-02 13:02 -------- d-----w- c:\documents and settings\Diablozzz\Application Data\Teleca
2009-07-02 13:02 . 2009-07-02 13:02 -------- d-----w- c:\documents and settings\Diablozzz\Application Data\Sony Ericsson
2009-07-01 08:26 . 2009-07-01 08:26 -------- d-----w- c:\program files\Common Files\Digidesign
2009-07-01 08:17 . 2009-07-01 08:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Sibelius Software
2009-07-01 08:17 . 2009-07-01 08:17 -------- d-----w- c:\documents and settings\User\Application Data\Sibelius Software
2009-07-01 08:13 . 2009-07-01 08:13 -------- d-----w- c:\program files\Sibelius Software
2009-06-26 15:59 . 2009-06-26 15:59 390664 ----a-w- c:\documents and settings\User\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-26 10:29 . 2007-06-19 08:51 11176 ----a-r- c:\windows\system32\drivers\s816whnt.sys
2009-06-26 10:29 . 2007-06-19 08:51 11176 ----a-r- c:\windows\system32\drivers\s816wh.sys
2009-06-26 10:29 . 2007-06-19 08:51 81832 ----a-r- c:\windows\system32\drivers\s816bus.sys
2009-06-26 10:27 . 2009-06-26 10:27 -------- d-----w- c:\documents and settings\User\Application Data\Teleca
2009-06-26 10:22 . 2009-06-26 10:22 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-26 10:21 . 2009-06-26 10:21 -------- d-----w- c:\documents and settings\User\Application Data\Sony Ericsson
2009-06-26 10:20 . 2009-06-26 10:20 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared
2009-06-26 10:20 . 2009-06-26 10:20 -------- d-----w- c:\program files\Common Files\Teleca Shared
2009-06-26 10:20 . 2009-06-26 10:20 -------- d-----w- c:\program files\Sony Ericsson
2009-06-26 10:17 . 2009-06-26 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2009-06-26 10:17 . 2009-06-26 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-06-26 09:07 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-25 16:10 . 2009-06-25 16:10 -------- d-----w- c:\program files\WinSCP
2009-06-25 10:54 . 2009-06-25 10:59 -------- d-----w- c:\documents and settings\User\Application Data\Spotify
2009-06-25 10:54 . 2009-06-25 10:55 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Spotify
2009-06-25 10:54 . 2009-06-25 10:54 -------- d-----w- c:\program files\Spotify
2009-06-24 13:46 . 2009-01-21 13:07 -------- d-----w- c:\program files\Portable Jasc Paint Shop Pro 7.04 and Animation Shop 3.04
2009-06-24 07:32 . 2009-06-25 20:24 -------- d-----w- C:\keen

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 10:32 . 2009-05-17 13:16 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2009-07-06 15:16 . 2009-05-12 18:55 -------- d-----w- c:\program files\DOSBox-0.72
2009-07-02 13:02 . 2009-05-20 14:22 34184 ----a-w- c:\documents and settings\Diablozzz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 08:26 . 2009-05-16 11:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2009-07-01 08:17 . 2009-03-13 08:59 34184 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 08:17 . 2009-07-01 08:17 604 ---ha-w- c:\program files\STLL Notifier
2009-06-28 08:06 . 2009-03-27 14:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 08:06 . 2009-03-27 14:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 08:06 . 2009-03-27 14:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 12:21 . 2009-05-04 08:58 -------- d-----w- c:\documents and settings\User\Application Data\Thinstall
2009-06-26 08:59 . 2009-03-11 19:30 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-24 13:19 . 2009-04-15 21:00 -------- d-----w- c:\program files\Boilsoft ASF Converter
2009-06-24 13:18 . 2009-05-31 11:15 80896 ----a-w- c:\documents and settings\User\Application Data\Seven Zip\Codecs\LZMA.dll
2009-06-24 13:18 . 2009-05-31 11:15 5632 ----a-w- c:\documents and settings\User\Application Data\Seven Zip\Codecs\Swap.dll
2009-06-24 13:18 . 2009-05-31 11:15 5120 ----a-w- c:\documents and settings\User\Application Data\Seven Zip\Codecs\Copy.dll
2009-06-24 13:18 . 2009-05-31 11:15 32256 ----a-w- c:\documents and settings\User\Application Data\Seven Zip\Codecs\Aes.dll
2009-06-24 13:18 . 2009-05-31 11:15 18944 ----a-w- c:\documents and settings\User\Application Data\Seven Zip\Codecs\Branch.dll
2009-06-24 13:18 . 2009-05-31 11:15 13824 ----a-w- c:\documents and settings\User\Application Data\Seven Zip\Codecs\7zAes.dll
2009-06-24 13:18 . 2009-05-31 11:15 129024 ----a-w- c:\documents and settings\User\Application Data\Seven Zip\Formats\7z.dll
2009-06-24 13:15 . 2009-05-30 21:55 -------- d-----w- c:\program files\AVS4YOU
2009-06-24 10:32 . 2009-04-11 14:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-24 08:21 . 2009-04-09 21:22 -------- d-----w- c:\program files\jdownloader
2009-06-04 14:28 . 2009-04-16 21:07 334912 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-06-04 14:28 . 2009-04-16 21:07 171072 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-06-04 14:07 . 2009-04-16 21:04 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-04 14:07 . 2009-04-16 21:04 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-04 14:07 . 2009-04-16 21:07 874660 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-06-04 14:07 . 2009-04-16 21:07 57344 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-06-04 14:07 . 2009-04-16 21:07 479232 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\pb\pbsv.dll
2009-06-04 14:07 . 2009-04-16 21:07 2669632 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-06-02 06:29 . 2009-06-02 06:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-01 16:48 . 2009-06-01 08:29 -------- d-----w- c:\documents and settings\User\Application Data\Download Manager
2009-06-01 06:55 . 2009-06-01 06:55 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-06-01 06:50 . 2009-06-01 06:50 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-01 06:46 . 2009-06-01 06:48 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-06-01 06:46 . 2009-06-01 06:48 129784 ------w- c:\windows\system32\pxafs.dll
2009-06-01 06:46 . 2009-06-01 06:48 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-06-01 06:46 . 2009-06-01 06:48 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-06-01 06:46 . 2009-06-01 06:48 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-06-01 06:46 . 2009-06-01 06:48 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-31 12:06 . 2009-03-27 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-31 11:33 . 2009-05-30 21:58 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-31 11:15 . 2009-05-31 11:15 -------- d-----w- c:\documents and settings\User\Application Data\Seven Zip
2009-05-31 10:06 . 2009-05-30 22:00 -------- d-----w- c:\documents and settings\User\Application Data\AVS4YOU
2009-05-30 22:00 . 2009-05-30 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-05-30 21:29 . 2009-05-20 08:57 -------- d-----w- c:\program files\Any Video Converter
2009-05-30 21:29 . 2009-05-20 08:57 -------- d-----w- c:\documents and settings\User\Application Data\Any Video Converter
2009-05-30 21:29 . 2009-05-30 21:21 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-30 21:29 . 2009-05-30 21:21 -------- d-----w- c:\documents and settings\User\Application Data\Any Video Converter Professional
2009-05-27 11:27 . 2009-03-27 14:52 -------- d-----w- c:\program files\Diablo 2
2009-05-26 15:08 . 2009-04-16 21:03 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-05-26 15:06 . 2009-04-16 21:04 22328 ----a-w- c:\documents and settings\User\Application Data\PnkBstrK.sys
2009-05-26 15:06 . 2009-04-16 21:04 22328 ----a-w- c:\documents and settings\User\Application Data\PnkBstrK.sys
2009-05-26 15:05 . 2009-04-16 21:03 2246144 ----a-w- c:\windows\system32\pbsvc.exe
2009-05-26 15:05 . 2009-05-26 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-05-24 07:54 . 2009-05-20 14:32 -------- d-----w- c:\program files\Diablo II
2009-05-20 14:44 . 2009-03-27 14:59 72929 ----a-w- c:\windows\DIIUnin.dat
2009-05-20 14:43 . 2009-03-27 15:08 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-05-20 14:43 . 2009-03-27 15:08 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-05-20 14:43 . 2009-03-27 15:08 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-05-20 14:37 . 2009-03-27 14:59 94208 ----a-w- c:\windows\DIIUnin.exe
2009-05-20 14:37 . 2009-03-27 14:59 2829 ----a-w- c:\windows\DIIUnin.pif
2009-05-20 14:22 . 2009-05-20 14:22 -------- d-----w- c:\documents and settings\Diablozzz\Application Data\ATI
2009-05-17 17:46 . 2009-05-01 08:10 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-05-17 17:01 . 2009-05-17 17:01 -------- d-----w- c:\documents and settings\User\Application Data\Graboid Inc
2009-05-17 13:16 . 2009-05-17 13:16 -------- d-----w- c:\program files\uTorrent
2009-05-17 12:13 . 2009-04-08 17:16 -------- d-----w- c:\program files\Graboid
2009-05-17 12:13 . 2009-05-17 12:13 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-05-17 09:26 . 2009-05-03 19:00 -------- d-----w- c:\program files\QuickMediaConverter
2009-05-17 09:10 . 2009-03-13 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-17 09:04 . 2009-05-16 10:17 -------- d-----w- c:\program files\CyberLink
2009-05-16 12:55 . 2009-05-16 12:55 -------- d-----w- c:\program files\VirtualDub
2009-05-16 11:56 . 2009-05-16 11:55 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-05-16 11:56 . 2009-05-16 11:56 -------- d-----w- c:\documents and settings\User\Application Data\Media Player Classic
2009-05-16 11:39 . 2009-05-16 11:17 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}\PostBuild.exe
2009-05-16 11:25 . 2009-05-16 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-16 10:24 . 2009-05-16 10:24 -------- d-----w- c:\documents and settings\User\Application Data\CyberLink
2009-05-16 09:52 . 2009-05-16 09:52 -------- d-----w- c:\program files\Recuva
2009-05-12 13:06 . 2009-05-05 13:09 -------- d-----w- c:\program files\Quake III Arena
2009-05-05 09:51 . 2009-05-05 09:51 625728 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2009-05-04 10:39 . 2009-05-04 10:39 19968 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Microsoft Expression Web 2\4000001900002i\iexplore.exe
2009-05-04 10:39 . 2009-05-04 10:39 19968 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Microsoft Expression Web 2\4000004d00002i\firefox.exe
2009-05-04 09:00 . 2009-05-04 09:00 19968 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Microsoft Expression Web 2\1000000b00002i\verclsid.exe
2009-05-04 08:59 . 2009-05-04 08:59 19968 ----a-w- c:\documents and settings\User\Application Data\Thinstall\Microsoft Expression Web 2\4000001100002i\mscorsvw.exe
2009-05-03 16:47 . 2009-05-03 16:47 0 ----a-w- c:\windows\ativpsrm.bin
2009-05-03 16:13 . 2009-05-03 16:13 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-05-03 16:13 . 2009-05-03 16:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-02 09:10 . 2009-03-27 14:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 08:11 . 2009-05-01 08:11 249856 ------w- c:\windows\Setup1.exe
2009-05-01 08:11 . 2009-05-01 08:11 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-04-20 14:55 . 2009-04-20 12:20 285 ----a-w- c:\windows\EReg072.dat
2009-04-20 12:20 . 2009-04-20 12:20 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-04-20 12:20 . 2009-04-20 12:20 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-04-16 21:09 . 2009-04-16 21:07 441408 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-04-16 21:07 . 2009-04-16 21:07 57344 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\pb\pbags.dll
2009-04-16 21:07 . 2009-04-16 21:07 874660 ----a-w- c:\documents and settings\User\Application Data\id Software\quakelive\home\pb\pbcls.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-09 148888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2009-03-13 16248320]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Client Utility.lnk - c:\program files\Belkin\F5D9050\Belkinwcui.exe [2006-12-1 1585152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 08:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CCC.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLI.exe"=
"c:\\Program Files\\Graboid\\GraboidVideo\\1.5.0.0\\GraboidClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Chat Republic Games\\Superstar Racing\\ChatRepublicPlayer.exe"=
"c:\\Program Files\\MasterWriter 2.0\\jre\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Diablo II
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/27/2009 3:40 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/27/2009 3:40 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/27/2009 3:40 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/28/2009 2:35 PM 298776]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [6/26/2009 11:29 AM 81832]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\7dns1ypu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 14:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-09 14:59
ComboFix-quarantined-files.txt 2009-07-09 13:59

Pre-Run: 4,745,068,544 bytes free
Post-Run: 4,731,559,936 bytes free

231

Hi,

Please do the following:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

NEXT

Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

GooredFix by jpshortstuff (03.07.09)
Log created at 16:38 on 09/07/2009 (User)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [15:09 27/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [21:25 09/04/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:25 09/04/2009]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [16:13 03/05/2009]

-=E.O.F=-


ESET.com doesn't connect..... I can't even get onto their home site. Is this bad news!?

Hi,

Maybe the problem is with your DNS

Lets reset your DNS server and flush your DNS cache.
I suggest you print out these instructions for easy reference:

• Go to Start > Control Panel, and choose Network Connections.
• Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.
• Click the Networking tab
• Double-click on the Internet Protocol (TCP/IP) item.
• Write down the settings in case you should need to change them back.
• Select the radio button that says "Obtain DNS servers automatically".
• Click OK twice to get out of the properties screen and restart your computer.
• If not prompted to reboot go ahead and reboot manually.

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address, then you may proceed.

• Now go to Start > Run > type: cmd
• Press OK or Hit Enter.
• At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
• Hit Enter.
• You will get a confirmation that the flush was successful.
• Close the command box.

Still redirecting I'm afraid....

can you please describe in more detail what is taking place. Is this happening in both Firefox and IE?

Where are you getting re-directed to?

In Firefox, when I google a search and click on a link it opens a new tab. In this tab, about 30% of the time it redirects me to a website called missngpage.com, which then forwards me onto a random site.

I don't usually use IE, but I just tried it and it is acting unusually as well - it opens a new window for every google search I click on, and the website of that search is very long. For example, this was a wikipedia entry -

http://www.google.co.uk/click?sa=T&ct=...EwMQ==&xr=0

Thanks for your time!

Hi,

Please do the following:


Download and scan with SUPERAntiSpyware
Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  
  Close browsers before scanning
  Scan for tracking cookies.
  Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Now reboot into Safe Mode: How to enter safe mode
• Using the F8 Method
• Restart your computer.
• When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with an Advanced Options menu.
• Select the option for Safe Mode using the arrow keys.
• Then press enter on your keyboard to boot into Safe Mode.
• Perform the scan...Launch the program

• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".


To retrieve the removal information after reboot, launch SUPERAntispyware again.

• Click Preferences, then click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
• Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Please post a fresh HJT log along with the SuperAntiSpyware log

Well - that seems to have done it!!

It is STILL opening google searches in a new tab in firefox, and in a new window in IE. Is that normal??

But the redirections have stopped

THANK YOU!!!!!