When I search with google I get redirected

Kayesv · #1 (**permalink**) 16-08-2009, 06:10 PM

Hello! I apologize in advance if I make any mistakes, I'm very new to this. I've recently been having problems searching the internet. Let me clarify that, when I use google to look something up, any link I click on redirects me to something I wasn't searching for and I have to click on the link at least 4 times to actually get to the site I wanted to.

I read the rules and hope I'm doing this correctly. I'll link my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:43 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Documents and Settings\Kristen\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Kristen\Desktop\regprot\regprot.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Dell UK: Laptops, Desktop Computers, Monitors, Printers & PC Accessories
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5969 bytes

Thank you in advance for any help you can offer.

Neal · #2 (**permalink**) 16-08-2009, 11:12 PM

Welcome aboard,

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Also a new hijackthis log please.

Kayesv · #3 (**permalink**) 17-08-2009, 03:22 AM

Here is the log for GooredfixGooredFix

by jpshortstuff (12.07.09)
Log created at 21:20 on 16/08/2009 (Kristen)
Firefox version 3.0.13 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:27 05/04/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [20:09 07/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [08:36 10/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extens ions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [15:25 05/05/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:08 07/04/2009]
"avg@igeared"="C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared" [14:32 29/06/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework \v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:07 15/08/2009]

-=E.O.F=-

Neal · #4 (**permalink**) 17-08-2009, 05:35 PM

* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and zLaunch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Kayesv · #5 (**permalink**) 18-08-2009, 12:15 AM

Thank you again for the help. Here are both the MBAM log and a new Hijackthis log:

Malwarebytes' Anti-Malware 1.39
Database version: 2539
Windows 5.1.2600 Service Pack 3

8/17/2009 6:06:27 PM
mbam-log-2009-08-17 (18-06-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145826
Time elapsed: 20 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruidetswouh. dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruidetswouh. dll (Trojan.TDSS) -> Quarantined and deleted successfully.

--------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:11 PM, on 8/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Dell UK: Laptops, Desktop Computers, Monitors, Printers & PC Accessories
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5591 bytes

Neal · #6 (**permalink**) 18-08-2009, 01:44 AM

What is going on now please?

Kayesv · #7 (**permalink**) 18-08-2009, 09:15 AM

Sorry for the delayed reply. It still seems to be happening, but not nearly as frequently as before. Is there anything else I can do?

Neal · #8 (**permalink**) 18-08-2009, 06:00 PM

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

Kayesv · #9 (**permalink**) 19-08-2009, 02:53 PM

I ran Combofix as asked. Here is the log:

ComboFix 09-08-18.03 - Kristen 08/19/2009 8:40.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1548 [GMT -5:00]
Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\drivers\hjgruibpxktens.sys
c:\windows\system32\hjgruidetswouh.dll
c:\windows\system32\hjgruircssexsd.dll
c:\windows\system32\hjgruisajiccgi.dat
c:\windows\system32\hjgruiymqnavki.dat

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\i386\MsPMSNSv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruimjctchqt
-------\Legacy_hjgruimjctchqt

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-16 16:39 . 2009-08-16 16:39 -------- d-----w- c:\program files\Windows Defender
2009-08-16 16:19 . 2009-08-16 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-16 11:11 . 2009-08-16 11:11 -------- d-----w- c:\documents and settings\Kristen\Local Settings\Application Data\Unity
2009-08-16 11:11 . 2009-08-16 11:11 -------- d-----w- c:\program files\Unity
2009-08-15 08:06 . 2009-08-15 08:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-15 08:06 . 2009-08-15 08:06 -------- d-----w- c:\program files\MSBuild
2009-08-15 08:05 . 2009-08-15 08:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 08:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintpr oc.dll
2009-08-15 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-15 08:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-15 08:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 08:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-15 08:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesv c.exe
2009-08-15 08:04 . 2009-08-15 08:05 -------- d-----w- C:\09e796b3b99651542aa3
2009-08-12 20:41 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-01 09:53 . 2009-08-01 09:53 -------- d-----w- c:\program files\CCleaner
2009-08-01 09:12 . 2009-08-01 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-01 09:12 . 2009-08-19 13:26 -------- d-----w- c:\documents and settings\Kristen\Application Data\SUPERAntiSpyware.com
2009-08-01 09:12 . 2009-08-19 13:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-01 08:52 . 2009-08-01 08:52 -------- d-----w- c:\documents and settings\Kristen\Application Data\Malwarebytes
2009-08-01 08:52 . 2009-08-01 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-26 19:17 . 2009-07-20 21:09 282624 ----a-w- c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\kezetwe5.default\ext ensions\NPDyyno@dyyno.com\Plugins\npDyyno.dll
2009-07-26 04:19 . 2009-03-19 21:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-26 04:19 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-26 04:19 . 2009-07-26 04:19 -------- d-----w- c:\program files\iPod
2009-07-26 04:19 . 2009-07-26 04:19 -------- d-----w- c:\program files\iTunes
2009-07-21 15:15 . 2009-07-26 04:14 -------- d-----w- c:\documents and settings\Kristen\Local Settings\Application Data\PMB Files
2009-07-21 15:15 . 2009-07-21 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-07-21 15:15 . 2009-07-21 15:15 -------- d-----w- c:\program files\Pando Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-19 13:26 . 2009-04-06 01:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-19 02:11 . 2009-04-06 01:13 -------- d-----w- c:\program files\World of Warcraft
2009-08-16 16:39 . 2009-04-14 15:53 20856 ----a-w- c:\documents and settings\Kristen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 16:14 . 2006-01-31 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-11 10:49 . 2009-07-10 08:45 -------- d-----w- c:\documents and settings\Kristen\Application Data\FrostWire
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 04:19 . 2009-07-10 08:55 -------- d-----w- c:\program files\Common Files\Apple
2009-07-26 04:16 . 2009-04-05 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 13:27 . 2009-05-05 15:25 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-14 04:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 19:22 . 2009-07-13 19:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 16:16 . 2009-05-10 20:11 -------- d-----w- c:\documents and settings\Kristen\Application Data\vlc
2009-07-13 13:08 . 2009-04-06 02:05 -------- d-----w- c:\documents and settings\Kristen\Application Data\Ventrilo
2009-07-10 08:57 . 2009-07-10 08:57 0 ----a-w- c:\documents and settings\Kristen\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-07-10 08:56 . 2009-07-10 08:56 -------- d-----w- c:\documents and settings\Kristen\Application Data\Apple Computer
2009-07-10 08:56 . 2009-07-10 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-10 08:56 . 2009-07-10 08:56 -------- d-----w- c:\program files\Bonjour
2009-07-10 08:56 . 2009-07-10 08:55 -------- d-----w- c:\program files\QuickTime
2009-07-10 08:55 . 2009-07-10 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-10 08:55 . 2009-07-10 08:55 -------- d-----w- c:\program files\Apple Software Update
2009-07-10 08:55 . 2009-07-10 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-29 14:32 . 2009-06-29 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-29 14:32 . 2009-06-29 14:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-29 14:32 . 2009-05-05 15:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 14:32 . 2009-05-05 15:25 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-27 08:40 . 2009-06-27 08:39 -------- d-----w- c:\documents and settings\Kristen\Application Data\FreeCap
2009-06-26 16:50 . 2005-08-16 10:18 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:35 . 2009-06-10 08:35 152576 ----a-w- c:\documents and settings\Kristen\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-06 23:41 . 2009-06-06 23:41 120088 ----a-w- c:\documents and settings\Kristen\Application Data\Mozilla\Plugins\npoctoshape.dll
2009-06-04 10:03 . 2009-06-06 23:41 396288 ----a-w- c:\documents and settings\Kristen\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-libOctoshapeClient.dll
2009-06-04 10:03 . 2009-06-06 23:41 124184 ----a-w- c:\documents and settings\Kristen\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-apoctoshape.dll
2009-06-04 10:03 . 2009-06-06 23:41 120088 ----a-w- c:\documents and settings\Kristen\Application Data\Octoshape\Octoshape Streaming Services\sua-0906040-0-npoctoshape.dll
2009-06-03 19:09 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 16:33 . 2009-04-07 20:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 21:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-31 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 14:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Kristen\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Documents and Settings\\Kristen\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Documents and Settings\\Kristen\\Desktop\\Frostwire\\FrostWire.e xe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Kristen\\Desktop\\smoothping\\smoothping \\putty.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"56212:TCP"= 56212:TCP:Pando Media Booster
"56212:UDP"= 56212:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/5/2009 10:25 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/5/2009 10:25 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/5/2009 10:25 AM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/5/2009 10:25 AM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\kezetwe5.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\kezetwe5.default\ext ensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-08-19 08:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1120)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
************************************************** ************************
.
Completion time: 2009-08-19 8:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 13:48

Pre-Run: 110,675,615,744 bytes free
Post-Run: 111,375,888,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windo ws XP Media Center Edition" /noexecute=optin /fastdetect

231 --- E O F --- 2009-08-18 01:59

Neal · #10 (**permalink**) 19-08-2009, 05:42 PM

Open notepad(Must be NotePad) and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE

Quote:

DirLook::
C:\09e796b3b99651542aa3