Hi All

First time here. I think I got the posting procedure right so here goes.

I found myself being redirected to obvious malware sites so i ran spybot check. Sure enough it discovered "coolwwwsearch.olehelp" after fixing it i found the same problems so did a little online research and tried using Cw shredder. Not only did that detect the entry above but it also found "coolwwwsearch.alfasearch". I "fixed" that using CWshredder and rebooted only to continue to find the problem.

I've had a search through the forums for an answer but have had no luck.I keep getting redirected and it's affecting my PC's performance.

If anyone can help me get rid off this pain in the butt it would be greatly appreciated.

Below are logs.


DDS (Ver_10-10-10.03) - NTFSx86
Run by Chrisfromhell at 19:40:32.82 on Tue 26/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2604 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\Windows\shell.exe
"C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\svchost.exe"
C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\dwm.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
svchost.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Chrisfromhell\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = "hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Shell=explorer.exe c:\windows\system32\ntdevice.exe
uWinlogon: Shell=explorer.exe,c:\documents and settings\chrisfromhell\application data\microsoft\windows\shell.exe
uWindows: Load=c:\docume~1\chrisf~1\locals~1\temp\dwm.exe
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [SoundMan] SOUNDMAN.EXE
StartupFolder: c:\docume~1\chrisf~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrisf~1\applic~1\mozilla\firefox\profiles\vxwogjq7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\chrisfromhell\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\pace anti-piracy\ilok\NPPaceILok.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido anti-malware\guard.sys [2004-11-22 3072]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2008-11-21 464264]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-10 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-10 242808]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2010-2-11 16400]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
R2 ewido security suite guard;ewido security suite guard;c:\program files\ewido anti-malware\ewidoguard.exe [2005-12-19 151616]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-11-21 80392]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-7-7 1267024]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-2-10 33792]
R3 iLokDrvr;Usb Driver;c:\windows\system32\drivers\iLokDrvr.sys [2009-12-23 54328]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101007.002\naveng.sys [2010-10-22 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101007.002\navex15.sys [2010-10-22 1371184]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-10 87160]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2010-2-11 85008]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys --> c:\windows\system32\drivers\MBX2DFU.sys [?]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys --> c:\windows\system32\drivers\mbx2midk.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-4-24 137344]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-7-7 173392]
S3 ZOOM_R16MTR;ZOOM R16 Audio Interface;c:\windows\system32\drivers\zmr16usbaudio.sys --> c:\windows\system32\drivers\zmr16usbaudio.sys [?]

=============== Created Last 30 ================

2010-10-26 09:46:18 -------- d-----w- c:\program files\ewido anti-malware
2010-10-26 09:03:28 160256 ----a-w- c:\docume~1\chrisf~1\applic~1\microsoft\svchost.exe
2010-10-26 02:25:34 388096 ----a-r- c:\docume~1\chrisf~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-26 02:25:33 -------- d-----w- c:\program files\Trend Micro
2010-10-25 05:35:10 -------- d-----w- c:\program files\PS3 Media Server
2010-10-23 09:26:04 205312 ----a-w- c:\docume~1\chrisf~1\applic~1\microsoft\windows\shell.exe

==================== Find3M ====================

2010-10-26 10:58:31 16608 ----a-w- c:\windows\gdrv.sys
2010-10-25 12:22:12 234280 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-10-25 12:22:12 234280 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-22 11:27:33 112 ----a-w- c:\windows\system32\msvcsv60.dll
2010-08-04 01:59:10 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-08-04 01:59:00 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-08-04 01:57:40 4358144 ----a-w- c:\windows\system32\aticaldd.dll
2010-08-04 01:53:22 15900672 ----a-w- c:\windows\system32\atioglxx.dll
2010-08-04 01:47:50 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-08-04 01:47:00 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-08-04 01:46:04 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-04 01:41:40 3901280 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-04 01:31:16 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-08-04 01:31:04 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-08-04 01:30:56 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-08-04 01:30:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-08-04 01:30:38 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-08-04 01:29:26 606208 ----a-w- c:\windows\system32\ati2evxx.exe
2010-08-04 01:28:12 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-08-04 01:28:06 2537728 ----a-w- c:\windows\system32\ativvaxx.dll
2010-08-04 01:27:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-08-04 01:24:04 610304 ----a-w- c:\windows\system32\atikvmag.dll
2010-08-04 01:23:52 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-08-04 01:22:28 188416 ----a-w- c:\windows\system32\atiadlxx.dll
2010-08-04 01:22:08 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-08-04 01:16:50 700416 ----a-w- c:\windows\system32\ati2cqag.dll
2010-08-04 01:15:20 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-08-04 01:15:20 65024 ----a-w- c:\windows\system32\amdpcom32.dll

============= FINISH: 19:40:50.45 ===============

Hi chrisfromhell

Download and Run Malwarebytes' Anti-Malware

Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop. If needed...Tutorial w/screenshots (http://thespykiller.co.uk/index.php/topic,5946.0.html)
Alternate download sites available here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or here (http://www.besttechie.net/tools/mbam-setup.exe).
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
Problems downloading the updates? Manually download them from here (http://malwarebytes.gt500.org/mbam-rules.exe) and double-click on "mbam-rules.exe" to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please reply with

Malwarebytes' Anti-Malware Log

Thanks peku006

Hi Peku,

Thank you for your reply, your time and offering your assistance. It is greatly appreciated. Ok so i have completed the steps above and it looks like malware bytes found alot of stuff none of the programs even detected!

As requested the log is below.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4830

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

30/10/2010 7:15:11 AM
mbam-log-2010-10-30 (07-15-11).txt

Scan type: Full scan (C:\|H:\|)
Objects scanned: 519658
Time elapsed: 2 hour(s), 27 minute(s), 35 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.
C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\adver_id (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Chrisfromhell\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe C:\WINDOWS\system32\ntdevice.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Hi chrisfromhell

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

Done and done. Below is the new log.

ComboFix 10-10-15.03 - Chrisfromhell 30/10/2010 18:06:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2923 [GMT 8:00]
Running from: c:\documents and settings\Chrisfromhell\My Documents\Downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chrisfromhell\Application Data\download2
c:\documents and settings\Chrisfromhell\Application Data\Microsoft\stor.cfg
c:\documents and settings\Chrisfromhell\Local Settings\Temporary Internet Files\firmware.inf
c:\documents and settings\Chrisfromhell\Local Settings\Temporary Internet Files\h-fr.wmv
c:\documents and settings\Chrisfromhell\Local Settings\Temporary Internet Files\ip3picfile.temp
c:\documents and settings\Chrisfromhell\Local Settings\Temporary Internet Files\ip3Wmapic.temp
c:\windows\system32\msvcsv60.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-30 )))))))))))))))))))))))))))))))
.

2010-10-29 10:09 . 2010-10-29 10:09 -------- d-----w- c:\documents and settings\Chrisfromhell\Application Data\Malwarebytes
2010-10-29 10:09 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-29 10:08 . 2010-10-29 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-29 10:08 . 2010-10-29 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-29 10:08 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-27 06:13 . 2010-10-27 06:13 -------- d-----w- c:\documents and settings\Chrisfromhell\Application Data\Safer Networking
2010-10-27 06:12 . 2010-10-30 09:51 -------- d-----w- c:\program files\Safer Networking
2010-10-26 12:34 . 2010-10-26 12:34 2256 ----a-w- c:\documents and settings\Chrisfromhell\Application Data\hyghghjhjghjhj.bat
2010-10-26 02:25 . 2010-10-26 02:25 388096 ----a-r- c:\documents and settings\Chrisfromhell\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-26 02:25 . 2010-10-26 02:25 -------- d-----w- c:\program files\Trend Micro
2010-10-25 05:35 . 2010-10-25 05:35 -------- d-----w- c:\program files\PS3 Media Server
2010-10-25 03:12 . 2010-10-25 03:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-12 18:07 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-12 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-12 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=Digi32.dll
"MIDI"=diomidi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-11 22:08 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-13 23:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2009-12-14 10:40 77824 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-06-24 23:47 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2008-10-31 04:17 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 02:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 07:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-06-27 03:23 16875008 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-06-24 23:47 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NokiaOviSuite2"=c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"fqkmdjwe"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\gtisugrmp\avomssqtssd.exe
"uifdxkhd"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GEST"=m‘|\ü
"H2O"=c:\program files\SyncroSoft\Pos\H2O\cledx.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"AlcWzrd"=ALCWZRD.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DigidesignMMERefresh"=c:\program files\Digidesign\Drivers\MMERefresh.exe
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe"
"fqkmdjwe"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\gtisugrmp\avomssqtssd.exe
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"
"uifdxkhd"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe
"svchost"=c:\documents and settings\Chrisfromhell\Application Data\Microsoft\svchost.exe
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"download"="c:\documents and settings\Chrisfromhell\Application Data\download2\svcnost.exe"
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_cfh\\counter-strike source\\hl2.exe"=
"c:\\DoW2\\DOW2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_cfh\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [21/11/2008 7:15 PM 464264]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/02/2010 12:12 AM 16400]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [21/11/2008 6:37 PM 80392]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [10/02/2009 5:42 PM 33792]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/02/2010 12:12 AM 85008]
S3 iLokDrvr;Usb Driver;c:\windows\system32\drivers\iLokDrvr.sys [23/12/2009 11:36 AM 54328]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys --> c:\windows\system32\DRIVERS\MBX2DFU.sys [?]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys --> c:\windows\system32\drivers\mbx2midk.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [24/04/2010 5:53 PM 137344]
S3 ZOOM_R16MTR;ZOOM R16 Audio Interface;c:\windows\system32\Drivers\zmr16usbaudio.sys --> c:\windows\system32\Drivers\zmr16usbaudio.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [23/11/2008 4:41 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 08:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\Vuze.job
- c:\progra~1\Vuze\Azureus.exe [2008-11-21 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = "hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chrisfromhell\Application Data\Mozilla\Firefox\Profiles\vxwogjq7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Chrisfromhell\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Load - c:\docume~1\CHRISF~1\LOCALS~1\Temp\dwm.exe
MSConfigStartUp-NokiaMusic FastStart - c:\program files\Nokia\Nokia Music\NokiaMusic.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-svchost - c:\documents and settings\Chrisfromhell\Application Data\Microsoft\svchost.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\\vptray.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1844237615-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:45,4d,3c,4a,40,2b,bb,a6,da,b3,c6,49,68,27,c3,36,67,1e,e6,fa,9e,
c5,02,ec,f1,29,66,d7,b8,ac,91,53,f4,ba,70,c8,aa,aa,52,fa,9b,2c,95,71,ce,24,\
"rkeysecu"=hex:ec,aa,4d,bc,97,00,87,a0,75,06,d2,e4,81,9d,23,f2
.
Completion time: 2010-10-30 18:12:10
ComboFix-quarantined-files.txt 2010-10-30 10:12

Pre-Run: 36,992,741,376 bytes free
Post-Run: 37,390,045,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - DD244F1791F85CF404504E02DB99285E

Hi chrisfromhell

Run CFScript

Open Notepad and copy/paste the text in the box into the window:


File::
c:\documents and settings\Chrisfromhell\Application Data\hyghghjhjghjhj.bat
c:\documents and settings\Chrisfromhell\Local Settings\Application Data\gtisugrmp\avomssqtssd.exe
c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"fqkmdjwe"=-
"uifdxkhd"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"fqkmdjwe"=-
"uifdxkhd"=-"




Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Thanks peku006

Hi Peku

Here is the latest log

ComboFix 10-10-16.03 - Chrisfromhell 17/10/2010 10:48:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2935 [GMT 8:00]
Running from: c:\documents and settings\Chrisfromhell\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Chrisfromhell\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\documents and settings\Chrisfromhell\Application Data\hyghghjhjghjhj.bat"
"c:\documents and settings\Chrisfromhell\Local Settings\Application Data\gtisugrmp\avomssqtssd.exe"
"c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chrisfromhell\Application Data\hyghghjhjghjhj.bat
c:\windows\system32\msvcsv60.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
.

2010-10-30 11:24 . 2004-03-04 15:46 83168 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-30 11:24 . 2004-03-04 15:46 82832 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-29 10:09 . 2010-10-29 10:09 -------- d-----w- c:\documents and settings\Chrisfromhell\Application Data\Malwarebytes
2010-10-29 10:09 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-29 10:08 . 2010-10-29 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-29 10:08 . 2010-10-29 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-29 10:08 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-27 06:13 . 2010-10-27 06:13 -------- d-----w- c:\documents and settings\Chrisfromhell\Application Data\Safer Networking
2010-10-27 06:12 . 2010-10-30 09:51 -------- d-----w- c:\program files\Safer Networking
2010-10-26 02:25 . 2010-10-26 02:25 388096 ----a-r- c:\documents and settings\Chrisfromhell\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-26 02:25 . 2010-10-26 02:25 -------- d-----w- c:\program files\Trend Micro
2010-10-25 05:35 . 2010-10-25 05:35 -------- d-----w- c:\program files\PS3 Media Server
2010-10-25 03:12 . 2010-10-25 03:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-30_10.11.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-31 02:30 . 2010-10-31 02:30 16384 c:\windows\Temp\Perflib_Perfdata_274.dat
+ 2010-10-31 02:30 . 2010-10-31 02:30 16384 c:\windows\Temp\Perflib_Perfdata_248.dat
+ 2003-12-17 01:11 . 2003-12-17 01:11 65590 c:\windows\system32\pds.dll
+ 2003-12-17 01:11 . 2003-12-17 01:11 77875 c:\windows\system32\nts.dll
+ 2004-07-07 11:29 . 2004-07-07 11:29 83272 c:\windows\system32\NavLogon.dll
+ 2002-01-04 19:38 . 2002-01-04 19:38 54784 c:\windows\system32\msvci70.dll
+ 2003-12-17 01:11 . 2003-12-17 01:11 41017 c:\windows\system32\msgsys.dll
+ 1998-03-04 03:47 . 1998-03-04 03:47 77824 c:\windows\system32\loc32vc0.dll
+ 2004-06-11 10:28 . 2004-06-11 10:28 16280 c:\windows\system32\drivers\symredrv.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 51544 c:\windows\system32\drivers\symndis.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 46520 c:\windows\system32\drivers\symids.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 11000 c:\windows\system32\drivers\symdns.sys
+ 2003-12-17 01:11 . 2003-12-17 01:11 28723 c:\windows\system32\cba.dll
+ 2002-01-04 18:18 . 2002-01-04 18:18 84992 c:\windows\system32\atl70.dll
+ 2010-10-30 11:24 . 2010-10-30 11:24 40960 c:\windows\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-11-21 10:36 . 2010-10-31 02:30 16608 c:\windows\gdrv.sys
- 2008-11-21 10:36 . 2010-10-30 09:56 16608 c:\windows\gdrv.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 115928 c:\windows\system32\SymRedir.dll
+ 2004-06-11 10:28 . 2004-06-11 10:28 509144 c:\windows\system32\SymNeti.dll
+ 2002-01-04 19:37 . 2002-01-04 19:37 344064 c:\windows\system32\msvcr70.dll
+ 2002-01-04 19:40 . 2002-01-04 19:40 487424 c:\windows\system32\msvcp70.dll
+ 2004-06-11 10:28 . 2004-06-11 10:28 263736 c:\windows\system32\drivers\symtdi.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 170200 c:\windows\system32\drivers\SymIDSCo.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 166136 c:\windows\system32\drivers\symfw.sys
+ 2010-10-30 11:24 . 2010-10-30 11:24 4835840 c:\windows\Installer\510c8e.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-12 18:07 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-12 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-12 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-07-07 124232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=Digi32.dll
"MIDI"=diomidi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-11 22:08 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-13 23:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2009-12-14 10:40 77824 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-06-24 23:47 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2008-10-31 04:17 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 02:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 07:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-06-27 03:23 16875008 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-06-24 23:47 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NokiaOviSuite2"=c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GEST"=m‘|\ü
"H2O"=c:\program files\SyncroSoft\Pos\H2O\cledx.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"AlcWzrd"=ALCWZRD.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DigidesignMMERefresh"=c:\program files\Digidesign\Drivers\MMERefresh.exe
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe"
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"
"uifdxkhd"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe
"svchost"=c:\documents and settings\Chrisfromhell\Application Data\Microsoft\svchost.exe
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"download"="c:\documents and settings\Chrisfromhell\Application Data\download2\svcnost.exe"
"SoundMan"=SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_cfh\\counter-strike source\\hl2.exe"=
"c:\\DoW2\\DOW2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_cfh\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [21/11/2008 7:15 PM 464264]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/02/2010 12:12 AM 16400]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [21/11/2008 6:37 PM 80392]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [10/02/2009 5:42 PM 33792]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/02/2010 12:12 AM 85008]
R3 iLokDrvr;Usb Driver;c:\windows\system32\drivers\iLokDrvr.sys [23/12/2009 11:36 AM 54328]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys --> c:\windows\system32\DRIVERS\MBX2DFU.sys [?]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys --> c:\windows\system32\drivers\mbx2midk.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [24/04/2010 5:53 PM 137344]
S3 ZOOM_R16MTR;ZOOM R16 Audio Interface;c:\windows\system32\Drivers\zmr16usbaudio.sys --> c:\windows\system32\Drivers\zmr16usbaudio.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [23/11/2008 4:41 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 08:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\Vuze.job
- c:\progra~1\Vuze\Azureus.exe [2008-11-21 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = "hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chrisfromhell\Application Data\Mozilla\Firefox\Profiles\vxwogjq7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Chrisfromhell\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1844237615-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:45,4d,3c,4a,40,2b,bb,a6,da,b3,c6,49,68,27,c3,36,67,1e,e6,fa,9e,
c5,02,ec,f1,29,66,d7,b8,ac,91,53,f4,ba,70,c8,aa,aa,52,fa,9b,2c,95,71,ce,24,\
"rkeysecu"=hex:ec,aa,4d,bc,97,00,87,a0,75,06,d2,e4,81,9d,23,f2
.
Completion time: 2010-10-17 10:55:12
ComboFix-quarantined-files.txt 2010-10-17 02:55
ComboFix2.txt 2010-10-30 10:12

Pre-Run: 36,565,831,680 bytes free
Post-Run: 36,547,354,624 bytes free

- - End Of File - - 6D131CC55366C4176B37B9E1B29E9065

Hi chrisfromhell


Please download Rootkit Unhooker (http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE) Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here. Post also fresh dds logs.

Note** you may get this warning it is ok, just ignore

Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?

Thanks peku006

Hi Peku

Below and attached are the logs as requested. I am no longer getting re-directed and performance has improved.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0xB8DB5000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5582848 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xAC634000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4915200 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0xBF216000 C:\WINDOWS\System32\ati3duag.dll 3903488 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF9C4000 C:\WINDOWS\System32\ativvaxx.dll 2539520 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2142208 bytes
0x804D7000 RAW 2142208 bytes
0x804D7000 WMIxWDM 2142208 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB8C51000 C:\WINDOWS\system32\drivers\dalwdm.sys 823296 bytes (Avid, Inc. All rights reserved., 32-bit Abstraction Layer Driver)
0xBF060000 C:\WINDOWS\System32\ati2cqag.dll 700416 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF10B000 C:\WINDOWS\System32\atikvmag.dll 679936 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xAC4F1000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040213.016\navex15.sys 593920 bytes (Symantec Corporation, AV Engine)
0xB9E04000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAC1BE000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0xAC262000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF1B1000 C:\WINDOWS\System32\atiok3x2.dll 413696 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component)
0xAC449000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB8B8B000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0xA904D000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xAC595000 C:\Program Files\Symantec AntiVirus\savrt.sys 323584 bytes (Symantec Corporation, AutoProtect)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA8A01000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAC409000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 262144 bytes (Symantec Corporation, Network Dispatch Driver)
0xB8BE4000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA91C8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DD7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA596E000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAC2D2000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAC31F000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB8D7C000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA5BCC000 C:\WINDOWS\system32\drivers\PnkBstrK.sys 147456 bytes
0xB8D58000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8D35000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAC2FD000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAC3E7000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 139264 bytes (Microsoft Corporation, IP Network Address Translator)
0xACAE4000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x806E2000 ACPI_HAL 134400 bytes
0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9EBB000 TPkd.sys 122880 bytes (PACE Anti-Piracy, Inc., InterLok system file)
0xAC4B5000 C:\WINDOWS\system32\drivers\InCDFs.sys 114688 bytes (Nero AG, InCD File System Driver)
0xACB06000 C:\WINDOWS\system32\drivers\AtiHdmi.sys 110592 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)
0xB8D1A000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 110592 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB9DBD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAC1A6000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EA4000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8C26000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA8CF0000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8C3D000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB8DA1000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAC4A2000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xAC582000 C:\Program Files\Symantec\SYMEVENT.SYS 77824 bytes (Symantec Corporation, Symantec Event Librar

DDS (Ver_10-10-10.03) - NTFSx86
Run by Chrisfromhell at 21:51:36.84 on Sun 17/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2885 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chrisfromhell\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = "hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
StartupFolder: c:\docume~1\chrisf~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrisf~1\applic~1\mozilla\firefox\profiles\vxwogjq7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\chrisfromhell\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\pace anti-piracy\ilok\NPPaceILok.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2008-11-21 464264]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2010-2-11 16400]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-11-21 80392]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-7-7 1267024]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-2-10 33792]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2010-2-11 85008]

Hi chrisfromhell

I am no longer getting re-directed and performance has improved.
I like good news :D:

TFC (Temp File Cleaner)


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Thanks peku006

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, October 19, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, October 18, 2010 10:50:23
Records in database: 4182975
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 229048
Threats found: 6
Infected objects found: 12
Suspicious objects found: 0
Scan duration: 04:41:29


File name / Threat / Threats count
C:\Documents and Settings\Chrisfromhell\My Documents\VST Plugins\QuikQuak.Fusion.Field.v1.00.VST.incl.KeyGen.WIN-NEMESiS\n-ff100w.zip Infected: not-a-virus:AdWare.Win32.AdMedia.dh 1
C:\Documents and Settings\Chrisfromhell\My Documents\VST Plugins\Rob.Papen.LinPlug.Albino.VSTi.v3.0.2.incl.KeyGen-BEAT.zip Infected: Trojan.Win32.Swizzor.xfb 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP451\A0065948.exe Infected: Trojan.Win32.FakeAv.iqd 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP451\A0065949.exe Infected: Trojan.Win32.FakeAv.iqd 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP451\A0065950.exe Infected: Trojan.Win32.FakeAv.iqd 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP452\A0066219.exe Infected: Trojan.Win32.Swisyn.aolj 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP452\A0068261.exe Infected: Trojan.Win32.Swisyn.aolj 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP452\A0068282.exe Infected: Trojan.Win32.Swisyn.aomi 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP453\A0068344.exe Infected: Packed.Win32.Krap.hc 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP453\A0068345.exe Infected: Packed.Win32.Krap.hc 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP453\A0068366.exe Infected: Packed.Win32.Krap.hc 1
C:\System Volume Information\_restore{6F6D0D31-9CC3-4A09-9244-0B13462F9B1E}\RP453\A0068368.exe Infected: Packed.Win32.Krap.hc 1

Selected area has been scanned.

Hi chrisfromhell

Please delete these files
C:\Documents and Settings\Chrisfromhell\My Documents\VST Plugins\QuikQuak.Fusion.Field.v1.00.VST.incl.KeyGen.WIN-NEMESiS\n-ff100w.zip
C:\Documents and Settings\Chrisfromhell\My Documents\VST Plugins\Rob.Papen.LinPlug.Albino.VSTi.v3.0.2.incl.KeyGen-BEAT.zip

Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

Thanks peku006

Deleted and done. Below is the new log. I know this has been a long winded process so thank you once again.

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 2
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 12
Out of date Java installed!
Adobe Flash Player 10.0.22.87
Adobe Reader 9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

Hi chrisfromhell

we're almost at the finish :2thumb:

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.
Download the latest version of Java Runtime Environment (JRE) 6 Here (http://java.sun.com/javase/downloads/index.jsp)
Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
Click the orange Download JRE button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
Trace and Log Files Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.3
You can download it from http://www.adobe.com/products/acrobat/readstep2.html (http://www.adobe.com/products/acrobat/readstep2.html)
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from Foxit Software (http://mirrors.foxitsoftware.com/pub/foxit/reader/desktop/win/3.x/3.1/enu/FoxitReader31_enu_Setup.exe)
Note: Do not install anything dealing with AskBar... presented as an installation option.

Hi Peku

I've have now done those two updates. Looking forward to the end :)

Chris

Hi Chris

Your log now appears to be clean. Congratulations! :yahoo:

To remove all of the tools we used and the files and folders they created do the following:

Delete Rootkit Unhooker and Security Check from your desktop.

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep ......Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Here are some things that I think are worth having a look at if you don't already know a bout them:.

Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy safe surfing! :bigthumb:

peku006

Hi Peku

I have done the above and have noted your useful resources! Thank you once again for your time and your easy to follow step by step process. It is Greatly appreciated! :thanks:

You truly are a master of your craft and i humbly thank your sir :)

Regards,

Chris

As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)