Resolved PC infected with search redirect virus, please help!

[tmort23]

Hi there, I'm new to TechSpot, and I have a serious virus problem. For the past month, my computer has been infected with the search redirect virus, and I cant get rid of it. My own Antivirus cant even find it on the search (i have Zonealarm). My virus protection is about to run out in less than a week, so I need this thing gone. I'm kind of a noobie at this stuff, so I'm sorry if I ask a lot of questions. I followed the 8-step virus prelim removal thread, but could not (and still cant) download the MalwareBytes Anti Malware program. It claims the page cannot be displayed. Apart from that, everything else worked well. OK Not sure why, but it wont let me attach anything. I click Manage attachments, but it wont do anything. So I am just going to copy and paste them all.

Please help me TechSpot! Ill do my best to respond quickly.

Thanks in advance,

Tanner

Heres the ATTACH.txt-

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/28/2004 3:43:00 PM
System Uptime: 5/9/2010 1:52:18 PM (2 hours ago)

Motherboard: Dell Computer Corp. | | 0F5949
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2790/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 23.649 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1283: 2/9/2010 7:27:56 PM - System Checkpoint
RP1284: 2/9/2010 11:18:29 PM - Software Distribution Service 3.0
RP1285: 2/11/2010 7:30:07 PM - System Checkpoint
RP1286: 2/17/2010 3:11:57 AM - System Checkpoint
RP1287: 2/18/2010 2:17:25 PM - System Checkpoint
RP1288: 2/19/2010 3:32:04 PM - System Checkpoint
RP1289: 2/20/2010 10:58:59 PM - System Checkpoint
RP1290: 2/21/2010 11:12:41 PM - System Checkpoint
RP1291: 2/26/2010 9:52:34 PM - System Checkpoint
RP1292: 2/28/2010 12:09:28 AM - System Checkpoint
RP1293: 3/1/2010 1:21:40 AM - System Checkpoint
RP1294: 3/2/2010 2:23:46 AM - System Checkpoint
RP1295: 3/3/2010 2:44:55 AM - System Checkpoint
RP1296: 3/4/2010 3:28:46 AM - System Checkpoint
RP1297: 3/5/2010 5:36:03 AM - System Checkpoint
RP1298: 3/15/2010 4:21:41 PM - System Checkpoint
RP1299: 3/16/2010 4:59:42 PM - System Checkpoint
RP1300: 3/17/2010 5:25:10 PM - System Checkpoint
RP1301: 3/18/2010 8:45:03 PM - System Checkpoint
RP1302: 3/19/2010 8:50:08 PM - System Checkpoint
RP1303: 3/20/2010 9:19:54 PM - System Checkpoint
RP1304: 3/21/2010 10:17:48 PM - System Checkpoint
RP1305: 3/22/2010 10:25:12 PM - System Checkpoint
RP1306: 3/24/2010 2:03:35 PM - System Checkpoint
RP1307: 3/24/2010 9:54:38 PM - Installed Connect Service
RP1308: 3/25/2010 10:35:36 PM - System Checkpoint
RP1309: 3/27/2010 7:28:32 PM - System Checkpoint
RP1310: 3/28/2010 8:02:14 PM - System Checkpoint
RP1311: 3/30/2010 2:56:48 PM - System Checkpoint
RP1312: 3/31/2010 3:26:48 PM - System Checkpoint
RP1313: 4/1/2010 4:13:08 PM - System Checkpoint
RP1314: 4/3/2010 11:47:32 AM - System Checkpoint
RP1315: 4/4/2010 11:42:13 AM - Removed Google SketchUp 6
RP1316: 4/4/2010 11:42:31 AM - Removed Google SketchUp 6
RP1317: 4/4/2010 11:44:05 AM - Removed MobileMe Control Panel
RP1318: 4/4/2010 11:45:17 AM - Removed Jasc Paint Shop Pro 8 Dell Edition
RP1319: 4/5/2010 1:09:18 PM - System Checkpoint
RP1320: 4/6/2010 5:49:55 PM - System Checkpoint
RP1321: 4/7/2010 6:25:27 PM - System Checkpoint
RP1322: 4/8/2010 7:53:39 PM - System Checkpoint
RP1323: 4/9/2010 8:18:04 PM - System Checkpoint
RP1324: 4/10/2010 9:05:46 PM - System Checkpoint
RP1325: 4/11/2010 9:42:20 PM - System Checkpoint
RP1326: 4/14/2010 2:00:46 PM - System Checkpoint
RP1327: 4/15/2010 2:56:25 PM - System Checkpoint
RP1328: 4/16/2010 3:11:39 PM - System Checkpoint
RP1329: 4/20/2010 3:10:10 PM - System Checkpoint
RP1330: 4/21/2010 3:37:28 PM - System Checkpoint
RP1331: 4/22/2010 4:07:42 PM - System Checkpoint
RP1332: 4/23/2010 5:07:43 PM - System Checkpoint
RP1333: 4/24/2010 5:25:01 PM - System Checkpoint
RP1334: 4/25/2010 7:32:06 PM - System Checkpoint
RP1335: 4/26/2010 8:01:21 PM - System Checkpoint
RP1336: 4/27/2010 8:34:20 PM - System Checkpoint
RP1337: 4/28/2010 9:22:29 PM - System Checkpoint
RP1338: 4/29/2010 9:40:19 PM - System Checkpoint
RP1339: 4/30/2010 9:46:45 PM - System Checkpoint
RP1340: 5/1/2010 10:27:11 PM - System Checkpoint
RP1341: 5/3/2010 2:17:53 PM - System Checkpoint
RP1342: 5/5/2010 2:16:53 PM - System Checkpoint
RP1343: 5/6/2010 8:13:56 PM - System Checkpoint
RP1344: 5/8/2010 1:09:29 PM - System Checkpoint
RP1345: 5/9/2010 2:10:46 PM - System Checkpoint

==== Installed Programs ======================

3ivx MPEG-4 5.0 Decoder (remove only)
Adobe Digital Editions
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player
Amazon MP3 Downloader 1.0.10
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft WebCam Companion 2
Banctec Service Agreement
Bonjour
Broadcom Management Programs
Choice Guard
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
DA920EN
Dell Digital Jukebox Driver
Dell Networking Guide
Dell Solution Center
DellSupport
Digital Line Detect
DVD Flick 1.3.0.7
Facebook Plug-In
Full Tilt Poker
Google SketchUp 6 Exporters
Google SketchUp LayOut 6
Google SketchUp Pro 6
Google SketchUp Viewer
Google Updater
Grokster ads support
Help and Support Customization
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Photo Imaging Software
HP Photo Printing Software
hp photosmart 1115 series
hp photosmart printer series (Remove only)
HP Share-to-Web
Indeo® software
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
Internet Explorer Q903235
iPod for Windows 2005-09-06
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0 Update 11
Java Auto Updater
Java(TM) 6 Update 18
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LimeWire 5.4.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft AntiSpyware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
NetWaiting
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Shockwave
Skype™ 4.1
Sonic DLA
Sonic RecordNow!
TablEdit 2.65
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm Security Suite
ZoneAlarm Toolbar

==== End Of File ===========================

 

[tmort23]

Dds.txt

Heres the DDS.txt-



DDS (Ver_10-03-17.01) - NTFSx86
Run by Tanner at 15:10:35.04 on Sun 05/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.709 [GMT -7:00]

AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tanner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uCustomizeSearch =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [TOY5KNQ8OC] c:\docume~1\tanner\locals~1\temp\Elh.exe
uRun: [ROUA3O12PW] c:\windows\msa.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [gcasServ] "c:\program files\microsoft antispyware\gcasServ.exe"
mRun: [bpk] c:\windows\system32\bpk.exe
mRun: [realteks] "c:\documents and settings\tanner\application data\google\jaeio234556.exe" 2
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [cftmon] c:\windows\system32\ztqa.exe
mRun: [Nkurejulatiw] rundll32.exe "c:\windows\ucaxatesuxid.dll",Startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mExplorerRun: [RTHDBPL] c:\documents and settings\tanner\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127668836875
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8C410098-8BA7-4550-A0A4-6959C02FC935} - hxxp://karaoke.cokemusic.com//karClientIE.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.arcadetown.com/feedingfrenzy/SproutLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} - hxxp://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
TCP: NameServer = 93.188.162.6,93.188.161.34
TCP: {3BEBBE86-E276-4A8F-B745-659506D39AF4} = 93.188.162.6,93.188.161.34
TCP: {C1B9238B-191E-4433-8B4D-00EEB3516AD4} = 93.188.162.6,93.188.161.34
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\0034.DLL
SSODL: LiveReg - {1FB7B9B9-05CC-A1D6-56BD-402D8F4C488F} - c:\program files\common files\symantec shared\livereg\IraVcLc3d.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
LSA: Notification Packages = scecli scecli scecli leurpr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tanner\applic~1\mozilla\firefox\profiles\4wwo6ktv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\tanner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\tanner\application data\mozilla\firefox\profiles\4wwo6ktv.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {9A9F732D-6415-4F61-8FDB-8BF29F0DC597} - c:\documents and settings\tanner\local settings\application data\{9A9F732D-6415-4F61-8FDB-8BF29F0DC597}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-11-7 128016]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-18 486280]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-5 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2001-10-25 18864]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]

=============== Created Last 30 ================

2010-05-08 18:46:51 0 d-sh--w- c:\documents and settings\tanner\IECompatCache
2010-05-01 21:31:42 0 d-----w- c:\program files\Amazon

==================== Find3M ====================

2010-05-09 22:01:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-25 00:06:55 9 -c--a-w- C:\confin.sys
2010-02-23 03:42:46 6863 ----a-w- c:\windows\system32\WORK.DAT
2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2002-08-29 10:00:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2004-11-30 00:08:20 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-11-16 02:37:52 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111520081116\index.dat

============= FINISH: 15:13:39.60 ===============

 

[tmort23]

And the Gmer.log is too big to copy and paste, and for some reason it wont let me attach to replies, so I uploaded it to rapidshare, so heres the link to download-
http://rapidshare.com/files/385521964/gmer.log.log.html
It can only be downloaded 10 times, so if you need it and its past its limit, let me know and ill re-upload it.

Thanks, sorry for the hassle.

Tanner

 

[Bobbye]

Welcome to TechSpot, Tanner. I'll help with the malware. I see multiple malware entries in the logs. Regarding Malwarebytes, run the following first, then try Mbam again:

1. Please download randmbam.exe
2. It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.
3. Once done, try running a scan again

==========================================
As for GMER, I will only open a .txt or .log document- not one that's html transferred from Rapidshare. Please try the attachment again.
=====================================
When the above has been done, Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
===================================
Follow with Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave all logs in your next reply.

You also need to update your Java to v6u20 and uninstall the following versions:
Java(TM) 6 Update 18
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Each of these outdated versions present a vulnerability to the system.
As for LimeWire, I will give you information on file sharing and suggest that you uninstall it. If you choose not to, please do not use it while I am helping clean the system.

Please do not run any other cleaning programs or scans unless I instruct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[tmort23]

Ya, I could not include the malwarebytes log because when I click the link to download the program from the 8-step virus prelim removal, it states that the page cannot be displayed, thus not allowing me to download the file. Is there any other way I can download it? Off the top of my head, would it be able for you to upload the installation file to rapidshare or some other sort of file hosting website for me to download it? Maybe that will work.

As for the GMER.log file, I will try to re attach it later tonight.

Thanks again.

 

[Bobbye]

Did you run the program I gave you to help with Malwarebytes?

Here are 2 other site you can download Malwarebytes from:
http://majorgeeks.com/download.php?det=5756
http://www.malwarebytes.org/mbam-download.php

 

[tmort23]

Hey there, sorry for the long wait, I was running all those scans.
OK. So I ran the malwarebytes anti malware prgm, it found a bunch of malware, and said it removed it. Next I ran the combofix, and then I just finished the Online Scan. All 3 logs are attached, along with the original Gmer.log that I couldnt attach last time.

in order it is:

• gmer.log
• mbam.log
• combofix log
• online scan log

Let me know what you think.

Thanks!

 

[tmort23]

Also, I updated my Java to Version 20 as told, and uninstalled the versions listed. I am also going to stop using Limewire, although I was using it legally, I fear it is a gateway for viruses and malware.

Thanks again.

 

[Bobbye]

You attached the same Combofix report twice instead of the Malwarebytes log. Could you go find the Mbam log please while I'm finishing the script- it should be either of these places:

If you accidentally close it, the log file is saved here and will be named like this:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or
C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

 

[Bobbye]

You attached the same Combofix report twice instead of the Malwarebytes log. Could you go find the Mbam log please while I'm finishing the script- it should be either of these places:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or
C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt[/b]
=================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\viewpoint\common\ViewpointService.exe
c:\windows\system32\Drivers\PsSdk30.drv
c:\windows\Internet Logs\xDBB.tmp
c:\windows\Internet Logs\xDB9.tmp
c:\windows\Internet Logs\xDBA.tmp
c:\windows\system32\zllictbl.dat
c:\windows\Lqagiwitatuxofum.dat
c:\windows\Internet Logs\xDB8.tmp
C:\WINDOWS\leurpr.dll.vzr	
C:\WINDOWS\ucaxatesuxid.dll.vzr	

Folder::
c:\windows\Hpabijigokimakig.bin
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]

Driver::
Viewpoint Manager Service
PsSdk30

DDS::
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
uRun: [TOY5KNQ8OC] c:\docume~1\tanner\locals~1\temp\Elh.exe
uRun: [ROUA3O12PW] c:\windows\msa.exe
mRun: [bpk] c:\windows\system32\bpk.exe
mRun: [Nkurejulatiw] rundll32.exe "c:\windows\ucaxatesuxid.dll",Startup
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
TCP: NameServer = 93.188.162.6,93.188.161.34
TCP: {3BEBBE86-E276-4A8F-B745-659506D39AF4} = 93.188.162.6,93.188.161.34
TCP: {C1B9238B-191E-4433-8B4D-00EEB3516AD4} = 93.188.162.6,93.188.161.34
LSA: Notification Packages = scecli scecli scecli leurpr.dll

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

I can give you more informatrion on file sharing and remove the LimeWire program and files if you'd like.

 

[tmort23]

Oh, my mistake. Not sure how that happened.. but I attached the mbam log.

So this code, I just copy and paste into a new notepad, save it as the CFScript.txt and then drag and drop onto the Combofix Icon?
Sounds easy enough. I will attach the log when finished.

Thanks.

 

[tmort23]

Alright, I ran combofix again like you said. Here is the log:

 

[Bobbye]

What was your decision about LimeWire. I can include it in the script with a few other removals if you want. Read over this information and make the decision:

P2P or 'file sharing Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning (link(to help you better understand these dangers.

How is the system running now?
There are just a few more files to remove after you tell me about LimeWire and after you run that script, if the problems have been resolved, I'll have you remove the cleaning tools and old restore points, then reset the Host files.

 

[tmort23]

I think that Im going to keep it on my system for now, but later I will probably take it off.

So any more steps? I am still getting the redirection with google, etc..
but system seems to be running quicker now.

Thanks again

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\Internet Logs\xDBC.tmp
c:\windows\system32\zllictbl.dat

Extra::
File::
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
Firefox::
Firefox:- Profile - c:\documents and settings\Tanner\Application Data\Mozilla\Firefox\Profiles\4wwo6ktv.default\

DirLook::
c:\windows\Hpabijigokimakig.bin
 
Folder::
Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Stay away from weather programs with Minibug
Stay away from PopCap games which load using the popcaploader
Stay away from the FunWebProducts site.
========================================
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
================================
I hope to find some NameServers in HJT to have you remove. If not, I'll have you do a DNS flush.

 

[tmort23]

Ok I ran both combofix and hijackthis, the combofix log is attached and the hijackthis is posted below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:04:25 PM, on 5/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127668836875
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8C410098-8BA7-4550-A0A4-6959C02FC935} (karCntrlIE Class) - http://karaoke.cokemusic.com//karClientIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/feedingfrenzy/SproutLauncher.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10236 bytes

 

[Bobbye]

There is a zipped file that I can't identify or open. The date in Combofix is 2010-02-23 03:46 and 2010-03-24 19:38
c:\windows\Hpabijigokimakig.bin

There are no other files for 2/23, but there are 2 for 3/24:
Application Data for ESTsoft : http://www.altools.com/
ESTsoft Corp. is a software development company located in South Korea- Does this sound familiar?
==========================================
Try this to see if there is any more information:
To access: Use Windows Explorer: Windows Key + E:
1. Show Hidden Folders/Files

• Open My Computer.
  [*] Go to Tools > Folder Options.
  [*] Select the View tab.
  [*] Scroll down to Hidden files and folders.
  [*] Select Show hidden files and folders.
  [*] Uncheck (untick) Hide extensions of known file types.
  [*] Uncheck (untick) Hide protected operating system files (Recommended).
  [*] Click Yes when prompted.
  [*] Click OK.

2. Search for Files:

• Double click on Local Drive (C)
• Click on Windows
• Click on c:\windows\Hpabijigokimakig.bin
• Extract file> Do NOT open
• Right click on extracted file> Properties
• Do you see anything in Properties that you recognize? Do you see a file extension?
• Is this a zipped folder or file that you created?
• Close explorer

3.Reset Hidden/System Files & Folders

Let me know.

 

[tmort23]

it says its a .bin file, i dont recognize it, and the name sounds really weird. It says it has a size of 0 bytes? And its not a zipped file or extractable. Defintely did not create it.

And step 3, do you mean click the box that says "reset all folders?"

 

[Bobbye]

Okay, let move that file:
For the Custom CFScript:
Set up and run the CFFix just like in my Reply #10 and #15. But the only thing you will have in the Code box is below:

KillAll::
File::
Folder::
c:\windows\Hpabijigokimakig.bin

Finish with the drag and drop, same as #10 and 15

Leave the log it will create. If it has been moved and the original malware problems have resolved, I'll have you remove the cleaning tools and old restore points.

And step 3, do you mean click the box that says "reset all folders?"

I mean do this:

• 
  
  [*] Go to Tools > Folder Options.
  [*] Select the View tab.
  [*] Recheck "Don't show hidden files and folders."
  [*] Recheck Hide extensions of known file types.
  [*] Recheck Hide protected operating system files (Recommended)..
  [*] Click > Apply> OK.

 

[tmort23]

Ok, I ran the cmbofix with the log you provided. Its attached

 

[Bobbye]

Well, even beating the file over the head didn't remove it! Try renaming it> just add old to the end of the folder name. Then try the right click> Delete.

c:\windows\Hpabijigokimakig.binold

 

[tmort23]

OK, its deleted. Anything else? I still get the redirection while searching..

 

[Bobbye]

Please describe the redirecting:

1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
2. Does a different site load?
3. Does any site load?
4. Are the sites the same/different?
5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?
6. Does it happen on all searches?
7. Does it happen with multiple browsers?

 

[tmort23]

1. It doesnt happen always, but almost always. About 3/4 times it happens. I type in any search in google or bing or anything, even other sites that have a link, and my browser goes white like its loading, only its being redirected to a different site.
2. So yes, a new site loads
3. No, not just any sites load, I think there is 2 or 3 different ones
4. They are different sites, but look similar in their layout.
5. I am sure its not any google affiliated site or page saying DNS server, it is an actual site, like you know if you type in a websites name in the url bar but misspell it by a letter, you get a website you didnt want that has just crap on it? Its like that.
6. It happens on almost every search
7. And it happens on every browser. Like ive been using firefox since it came out, and thats where it originiated, and now im on internet explorer and its doing the same thing.

I will search alot and take some screen shots and attach them as jpegs so you can see for yourself.

Also, ive found that bookmarks NEVER do the redirection. its only search links, if that means anything.

 

[tmort23]

OK, heres what I found. I searched until I came across every redirect site. I took a screen shot and pasted in paint, then saved. (Hope you are allowed to open jpegs..)

This will give you a look at the websites.

redirect 1.jpeg is the first site
redirect 2.jpeg is what happens when I click a link, before it becomes redirected.
redirect 3.jpeg is a redirected site
redirect 4.jpeg is a redirected site.

And I also attached a notepad file, I hope it will help you, I copied the url bar while it was loading, becoming redirected. You may find something in the url that will help you. There are 2 urls.

Let me know what you think/find.

Thanks.