I ran Spybot and removed all threats. Still most of my google searches are being redirected by things called "wegosearch" and "boolean search". This started a few days ago. Why doesn't Spybot fix this?

The most serious threat removed by Spybot was virtumundo. I haven't noticed any other spyware type symptoms.

I did notice a BHO that I can't identify, and I removed it to no avail. It is identified only as "14cc694e" and uses file "mgmtapi32.dll".

Search results are redirected from both IE and Firefox, even Firefox SafeMode. It affects google, but does not seem to affect sweetIMsearch which is my default search engine in Firefox. Sometimes I can get a link in Firefox that I can't get in google, and then I can get it in google too!

I have replaced my full name with XXXX where it appears in the following log. Otherwise, I have changed nothing.

Thanks for any help.


.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_23
Run by XXXX at 6:01:58 on 2011-06-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.148 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
svchost.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\MCICDA32.exe
C:\Program Files\CompuServe 2000b\wcs2000.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\webvw32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dellnet.com/
uSearch Page =
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *r5.attbi.com;localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: {01a19996-8905-47fc-9f78-ad902b238bdf} - c:\windows\system32\atmfd32.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: eBay Toolbar Helper: {22d8e815-4a5e-4dfb-845e-aab64207f5bd} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7C721180-A591-4FFD-BF01-5951312DFA78} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: 14cc694e: {e01453b3-0c81-c142-502c-eaeba9d9ff9a} - c:\windows\system32\mgmtapi32.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AdwareFilter: {1028f737-81e7-452b-a860-e50cad90a08c} - c:\program files\adwarefiltertoolbar\AdwareFilter.dll
TB: eBay Toolbar: {92085ad4-f48a-450d-bd93-b28cc7df67ce} - c:\program files\ebay\ebay toolbar2\eBayTB.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {9C10ABEE-0734-4B7B-8358-A6355F02DDF9} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll
uRun: [ccWasher] c:\program files\cookie washer\aolwasher.exe /0
uRun: [LDM] \Program\BackWeb-8876480.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04b\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
mRun: [eBayToolbar] c:\program files\ebay\ebay toolbar2\eBayTBDaemon.exe
mRun: [UVS12 Preload] c:\program files\corel\corel videostudio 12\uvPL.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunServicesOnce: [washindex] c:\program files\cookie washer\washidx.exe "XXXX"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\camiov~1.lnk - c:\program files\sierra imaging\image expert 2000\IXApplet.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compus~1.lnk - c:\program files\compuserve 2000b\cstray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\what's~1.lnk - c:\program files\what's my computer doing\WhatsMyComputerDoing.exe
uPolicies-explorer: <NO NAME> =
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} - hxxp://www.stlu.com/plugins/Plugin0501.0065/streetnoagent7.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/23dfe60bd6bf6898ac21/netzip/RdxIE2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123878920937
DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} - hxxp://64.124.45.181/chaincast/proxy/CCMP.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37619.1688078704
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5005/mcfscan.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B4ADE286-3D18-448E-9E51-F2E1F8173FB4} : NameServer = 202.27.184.3,202.27.184.5
TCP: Interfaces\{B4ADE286-3D18-448E-9E51-F2E1F8173FB4} : DhcpNameServer = 192.168.2.1
AppInit_DLLs: phbjpu.dll ochnsb.dll axtovl.dll hhrqyl.dll,c:\windows\system32\mgmtapi32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccCTJyw
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\XXXX\application data\mozilla\firefox\profiles\6uq1giac.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XUL Cache: {8132276d-0d1e-4f64-8eda-49132dad6719} - %profile%\extensions\{8132276d-0d1e-4f64-8eda-49132dad6719}
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-9-24 363344]
R2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2002-4-20 64512]
R2 RioPNP;RioPNP;c:\windows\system32\drivers\RioPnP.sys [2002-4-22 6736]
R2 winmgmt32;Windows Management Instrumentation ;c:\windows\system32\webvw32.exe [2011-6-11 775168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-9-24 20952]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-22 135664]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 getPlus(R) Installer;getPlus(R) Installer;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-7-4 59552]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-22 135664]
S3 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]
.
=============== Created Last 30 ================
.
2011-06-13 08:14:15 774144 ----a-w- c:\documents and settings\XXXX\0.5659088320865572.exe
2011-06-12 08:30:48 775168 ----a-w- c:\documents and settings\XXXX\0.013908267826610587.exe
2011-06-12 06:48:58 0 ---ha-w- c:\documents and settings\XXXX\ijexbixkaw.tmp
2011-06-12 05:30:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-12 05:30:58 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-11 21:41:41 775168 ----a-w- c:\windows\system32\MCICDA32.exe
2011-06-11 21:41:40 175616 ----a-w- c:\windows\system32\mgmtapi32.dll
2011-06-11 21:41:39 775168 ----a-w- c:\windows\system32\webvw32.exe
2011-06-11 21:41:37 350720 ----a-w- c:\windows\system32\atmfd32.dll
2011-06-11 21:41:35 775168 ----a-w- c:\documents and settings\XXXX\0.03645120440208571.exe
2011-05-23 13:28:29 -------- d-----w- c:\program files\iPod
2011-05-23 13:28:07 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-23 13:28:06 -------- d-----w- c:\program files\iTunes
2011-05-23 13:20:05 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 6:03:42.36 ===============

We've seen popups that say something like "you've won the lottery, click for your prize", or your system has 1,426,250 viruses, click to remove", with a big OK button. Now you think, "I'm no dumbass", and just close the window by clicking the X. But the X isn't really a close button, and you get herpes.

My questions are:

1. What is the best way to respond when this happens? I'm thinking kill the process with process explorer.

2. What security settings (aside from not being in admin mode) would make it absolutely impossible for something like this to run an executable without prompting you first?

To clarify, it is the links returned by google that are affected, not the search itself. I've also seen it happen with bing.

Also, I disabled the BHO I mentioned. I did not remove it.

And it was the "virtumonde" virus that was removed by Spybot. I mistyped the name.

Hi,

Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Post fresh dds logs (including attach.txt) contents too.

Thanks for the help. GMER data below. DDS.txt and Attach.txt attached.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-22 05:39:38
Windows 5.1.2600 Service Pack 3
Running: pm24extc.exe; Driver: C:\DOCUME~1\BRUCEZ~1\LOCALS~1\Temp\pxtdapow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3612] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3527F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E352777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3527BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E352703 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E35273D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352831 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3529F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 10012420 C:\WINDOWS\system32\mgmtapi32.dll (Outlook Redemption COM library/Dmitry Streblechenko)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 100123AA C:\WINDOWS\system32\mgmtapi32.dll (Outlook Redemption COM library/Dmitry Streblechenko)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ws2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 100122D1 C:\WINDOWS\system32\mgmtapi32.dll (Outlook Redemption COM library/Dmitry Streblechenko)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ws2_32.dll!bind 71AB4480 5 Bytes JMP 1001225B C:\WINDOWS\system32\mgmtapi32.dll (Outlook Redemption COM library/Dmitry Streblechenko)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10012334 C:\WINDOWS\system32\mgmtapi32.dll (Outlook Redemption COM library/Dmitry Streblechenko)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ws2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 100123D4 C:\WINDOWS\system32\mgmtapi32.dll (Outlook Redemption COM library/Dmitry Streblechenko)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ws2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 1001246E C:\WINDOWS\system32\mgmtapi32.dll (Outlook Redemption COM library/Dmitry Streblechenko)
.text C:\Program Files\Internet Explorer\iexplore.exe[3612] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 10012369 C:\WINDOWS\system32\mgmtapi32.dll (Outlook Redemption COM library/Dmitry Streblechenko)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat EFF39D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

I ran ComboFix. Search results are still being redirected, this time by something called "abussinesssearch".

I now see a program running called MCD3232.exe which is taking up a lot of processing time (up to 68%) and when I try to kill it with process explorer, it just comes back. There is also a MCIDA32.exe.

I disabled my antivirus and firewall before running ComboFix. I didn't touch the computer at all during the scan. However, when it rebooted my machine, Windows prompted me for which user I wanted to log in as, and I clicked my name. Then while it was preparing the logs, it said not to start any programs, but some that usually start when I log in did start on their own. One of them was a dialog box from SpyBot complaining about a setting that had change. I still didn't touch it, but my antivirus may have started at this point. Right now not everything that usually starts is running, for example, my battery backup program PowerChute never started as it normally does.

I attached new dds files. Here's the ComboFix data:


ComboFix 11-06-21.08 - Bruce Zastera 06/22/2011 10:52:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.289 [GMT -5:00]
Running from: c:\documents and settings\Bruce Zastera\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bruce Zastera\0.013908267826610587.exe
c:\documents and settings\Bruce Zastera\0.03645120440208571.exe
c:\documents and settings\Bruce Zastera\0.5659088320865572.exe
c:\documents and settings\Bruce Zastera\Application Data\Mozilla\Firefox\Profiles\6uq1giac.default\extensions\{8132276d-0d1e-4f64-8eda-49132dad6719}
c:\documents and settings\Bruce Zastera\Application Data\Mozilla\Firefox\Profiles\6uq1giac.default\extensions\{8132276d-0d1e-4f64-8eda-49132dad6719}\chrome.manifest
c:\documents and settings\Bruce Zastera\Application Data\Mozilla\Firefox\Profiles\6uq1giac.default\extensions\{8132276d-0d1e-4f64-8eda-49132dad6719}\chrome\xulcache.jar
c:\documents and settings\Bruce Zastera\Application Data\Mozilla\Firefox\Profiles\6uq1giac.default\extensions\{8132276d-0d1e-4f64-8eda-49132dad6719}\defaults\preferences\xulcache.js
c:\documents and settings\Bruce Zastera\Application Data\Mozilla\Firefox\Profiles\6uq1giac.default\extensions\{8132276d-0d1e-4f64-8eda-49132dad6719}\install.rdf
c:\documents and settings\Bruce Zastera\WINDOWS
c:\documents and settings\BruceZ\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\LocalService\Application Data\02000000d4490ffe1270C.manifest
c:\documents and settings\LocalService\Application Data\02000000d4490ffe1270O.manifest
c:\documents and settings\LocalService\Application Data\02000000d4490ffe1270P.manifest
c:\documents and settings\LocalService\Application Data\02000000d4490ffe1270S.manifest
c:\documents and settings\Owner\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\nbjivdfj.ini
c:\windows\system32\nWwwxGgh.ini
c:\windows\UA000106.DLL
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-19 19:42 . 2011-06-19 19:42 -------- d-----w- c:\documents and settings\BruceZ
2011-06-19 19:24 . 2011-06-19 19:25 -------- d-----w- c:\documents and settings\Bruce Zastera\Application Data\SumatraPDF
2011-06-19 19:24 . 2011-06-19 19:24 -------- d-----w- c:\program files\SumatraPDF
2011-06-18 01:40 . 2011-06-11 21:41 775168 ----a-w- c:\windows\system32\atmfd32.exe
2011-06-17 10:57 . 2011-06-17 10:57 -------- d-----w- c:\program files\ERUNT
2011-06-12 06:48 . 2011-06-12 06:48 0 ---ha-w- c:\documents and settings\Bruce Zastera\ijexbixkaw.tmp
2011-06-12 05:30 . 2011-06-12 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-06-12 05:30 . 2011-06-12 05:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-11 21:41 . 2011-06-11 21:41 775168 ----a-w- c:\windows\system32\MCICDA32.exe
2011-06-11 21:41 . 2011-06-11 21:41 175616 ----a-w- c:\windows\system32\mgmtapi32.dll
2011-06-11 21:41 . 2011-06-11 21:41 775168 ----a-w- c:\windows\system32\webvw32.exe
2011-06-11 21:41 . 2011-06-11 21:41 350720 ----a-w- c:\windows\system32\atmfd32.dll
2011-05-27 21:14 . 2011-05-27 21:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01A19996-8905-47FC-9F78-AD902B238BDf}]
2011-06-11 21:41 350720 ----a-w- c:\windows\SYSTEM32\atmfd32.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E01453B3-0C81-C142-502C-EAEBA9D9FF9A}]
2011-06-11 21:41 175616 ----a-w- c:\windows\SYSTEM32\mgmtapi32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccWasher"="c:\program files\Cookie Washer\aolwasher.exe" [2001-08-16 2982400]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-08-10 160568]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"LTWinModem1"="ltmsg.exe 9" [X]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-11 155648]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-01-18 632048]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-11 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="c:\program files\Cookie Washer\washidx.exe" [2001-07-24 72704]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2002-4-21 221247]
Camio Viewer 2000.lnk - c:\program files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2002-4-15 49152]
CompuServe 2000 Tray Icon.lnk - c:\program files\CompuServe 2000b\cstray.exe [2003-2-12 36935]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-12-26 169472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2006-9-24 819200]
What's my computer doing.lnk - c:\program files\What's my computer doing\WhatsMyComputerDoing.exe [2011-3-12 271200]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\mgmtapi32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
R2 CryptSvc32;Cryptographic Services ;c:\windows\SYSTEM32\atmfd32.exe [6/17/2011 8:40 PM 775168]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/24/2008 9:31 AM 363344]
R2 PackethSvc;Virtual NIC Service;c:\windows\SYSTEM32\PackethSvc.exe [4/20/2002 9:05 AM 64512]
R2 RioPNP;RioPNP;c:\windows\SYSTEM32\DRIVERS\RioPnP.sys [4/22/2002 12:19 AM 6736]
R2 winmgmt32;Windows Management Instrumentation ;c:\windows\SYSTEM32\webvw32.exe [6/11/2011 4:41 PM 775168]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [9/24/2008 9:31 AM 20952]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [10/3/2000 3:18 PM 6942]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2010 12:58 AM 135664]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 getPlus(R) Installer;getPlus(R) Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/4/2009 3:51 AM 59552]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2010 12:58 AM 135664]
S3 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [8/6/2001 1:41 PM 28672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 05:58]
.
2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 05:58]
.
2011-06-22 c:\windows\Tasks\User_Feed_Synchronization-{E7938B0D-4F18-4B29-9C11-1E45A058CDFF}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dellnet.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *r5.attbi.com;localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B4ADE286-3D18-448E-9E51-F2E1F8173FB4}: NameServer = 202.27.184.3,202.27.184.5
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} - hxxp://www.stlu.com/plugins/Plugin0501.0065/streetnoagent7.cab
FF - ProfilePath - c:\documents and settings\Bruce Zastera\Application Data\Mozilla\Firefox\Profiles\6uq1giac.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{7C721180-A591-4FFD-BF01-5951312DFA78} - (no file)
Toolbar-{9C10ABEE-0734-4B7B-8358-A6355F02DDF9} - (no file)
WebBrowser-{9C10ABEE-0734-4B7B-8358-A6355F02DDF9} - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKCU-Run-LDM - \Program\BackWeb-8876480.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-22 11:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3156)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\windows\system32\ltmsg.exe
c:\windows\system32\devldr32.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Netropa\OSD.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\Brmfrmps.exe
c:\windows\System32\CTsvcCDA.EXE
c:\windows\system32\MCICDA32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\System32\MsPMSPSv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\MCD3232.exe
.
**************************************************************************
.
Completion time: 2011-06-22 11:27:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-22 16:27
.
Pre-Run: 12,427,980,800 bytes free
Post-Run: 12,621,033,472 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - B2AD29AA14F4CF9FB2BAA1A7E40425D7

As you probably already figured out, MCD3232.exe appears to be malware as per this McAfee webpage (http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=431798) under added files. It is in the windows32 directory. I see the registry entry that it talks about added

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\

MCD3232.exe is mentioned in the above ComboFix data.

ProcessExplorer gives me a description "AIDEX RUNTIME" and company name "AIDEX TEAM". There are other programs with the same AIDEX descriptions, they are

MFCUIW3232.exe
atmfd32.exe
KBDFR32.exe
webvw32.exe

There is also a BHO called atmfd32.exe which I disabled earlier.

After rebooting, MCD3232.exe is not taking up as much time, but it still runs, and it accesses the hard drive continuously.

I won't do anything until you tell me.

Hi,

Update MBAM and run a full scan with it. Post back the report.

That last suggestion killed me. After I updated mbam, it tried to restart. Then I got

"LSASS.EXE error. Application failed to initialize at 0xc0000005"

and XP wouldn't start. I could still move the mouse, but just a blank screen, and I couldn't even power it down from the power switch. I also couldn't bring it up in safe mode nor in the recovery console which failed on another file.

I forgot to menion that I had gotten a very similar error earlier when I tried to bring up a DOS command window. This was right after running ComboFix. Would it have made a difference?

I'm only here now because I'm on a borrowed machine. I took my machine in, and the guy seemed confident that he can deal with this in a few days. I never got an XP CD with my machine because it is all on the hard drive (lot of good that does now). I've been meaning to make a recovery disk, but I never got around to it. I think that should be added to the preliminary instructions on this site. Not sure if it would have save me though since I tried an old windows 98 CD, and I couldn't get it to boot from that.

Edit: See the steps below if you have the problem machine handy (I wasn't sure if you had already taken it to someone to repair).

Hi,

Let's try to restore back to earlier state with recovery console

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. If all goes well post fresh dds logs.

I can't start recovery console either. It complains about A1C7802.SY_.

Anyway, I can't do anything now because my computer is in the shop.

Ok. Let's see if they're able to sort out the issue.

I got my PC back from the shop today. XP starts again, and the google redirect problem seems to be resolved. I no longer see MCD3232.EXE running in process explorer, and it is no longer in the System32 directory. I don't see anything by the AIDEX TEAM in the process explorer anymore. I can bring up a DOS prompt with no problem.

The repair guy used a 3rd party recovery tool to fix Windows without having to do a clean boot, though this was fairly challenging. The virus was removed with Avast! The McAfee webpage that I mentioned also refers to Avast! as being able to detect this. I now have Avast! as a real time shield.

I don't know if there is a way to post the log from Avast! I was going to post new DDS logs, but Avast! said that the DDS program was dangerous. ;) I'll still post them if you think it would be a good idea. I don't seem to have any problems at the moment though.


Questions:

1. The recovery console still doesn't start. I never told the repair guy that this was broken. There is just a blinking cursor. I can do ctl-alt-del to restart. I'd like to get this working in case I have problems in the future. Do I just need to reinstall it?

2. What recovery software/startup discs would you recommend that I obtain so that I can recover from catastrophic problems like this in the future?

Hi,


1. The recovery console still doesn't start. I never told the repair guy that this was broken. There is just a blinking cursor. I can do ctl-alt-del to restart. I'd like to get this working in case I have problems in the future. Do I just need to reinstall it?
Let's remove your present version of recovery console and then let ComboFix install a fresh one.

1. Log on as local administrator.

2. Double click on "My Computer" icon on the desktop.

3. In "My Computer" open: Tools -> Folder Options -> View -> Mark the checkbox
"Show hidden files and folders" -and clear the "Hide protected operating system

files" checkbox (please press on "Yes" to the confirm message).


4. Double click on the %systemdrive% (usually "C" drive) and delete "cmdcons" folder and the cmldr file from
the root drive.

5. Right-click boot.ini on the system partition and select Properties, then clear the "Read-only" checkbox.

6. Double click on the "boot.ini" file (the file reside in the root of the %systemdrive%).

7. Remove the lines:

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug


8. Save the boot.ini file and close the text editor. Do step 3. opposite to re-hide the files.

Then disable antivirus protection, download and run ComboFix (like you did earlier) and let it install recovery console. Post back the log it creates.




2. What recovery software/startup discs would you recommend that I obtain so that I can recover from catastrophic problems like this in the future?
I'll let you know about some options after dealing with the recovery console.

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.