Another coolWWWSEARCH thread - help!

**chrisfromhell** · 2010-10-12, 13:41

Hi All

First time here. I think I got the posting procedure right so here goes.

I found myself being redirected to obvious malware sites so i ran spybot check. Sure enough it discovered "coolwwwsearch.olehelp" after fixing it i found the same problems so did a little online research and tried using Cw shredder. Not only did that detect the entry above but it also found "coolwwwsearch.alfasearch". I "fixed" that using CWshredder and rebooted only to continue to find the problem.

I've had a search through the forums for an answer but have had no luck.I keep getting redirected and it's affecting my PC's performance.

If anyone can help me get rid off this pain in the butt it would be greatly appreciated.

Below are logs.

DDS (Ver_10-10-10.03) - NTFSx86
Run by Chrisfromhell at 19:40:32.82 on Tue 26/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2604 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\Windows\shell.exe
"C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\svchost.exe"
C:\DOCUME~1\CHRISF~1\LOCALS~1\Temp\dwm.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\SOUNDMAN.EXE
svchost.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Chrisfromhell\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = "hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Shell=explorer.exe c:\windows\system32\ntdevice.exe
uWinlogon: Shell=explorer.exe,c:\documents and settings\chrisfromhell\application data\microsoft\windows\shell.exe
uWindows: Load=c:\docume~1\chrisf~1\locals~1\temp\dwm.exe
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [SoundMan] SOUNDMAN.EXE
StartupFolder: c:\docume~1\chrisf~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrisf~1\applic~1\mozilla\firefox\profiles\vxwogjq7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\chrisfromhell\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\pace anti-piracy\ilok\NPPaceILok.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido anti-malware\guard.sys [2004-11-22 3072]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2008-11-21 464264]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-10 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-10 242808]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2010-2-11 16400]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
R2 ewido security suite guard;ewido security suite guard;c:\program files\ewido anti-malware\ewidoguard.exe [2005-12-19 151616]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-11-21 80392]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-7-7 1267024]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-2-10 33792]
R3 iLokDrvr;Usb Driver;c:\windows\system32\drivers\iLokDrvr.sys [2009-12-23 54328]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101007.002\naveng.sys [2010-10-22 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101007.002\navex15.sys [2010-10-22 1371184]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-10 87160]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2010-2-11 85008]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys --> c:\windows\system32\drivers\MBX2DFU.sys [?]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys --> c:\windows\system32\drivers\mbx2midk.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-4-24 137344]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-7-7 173392]
S3 ZOOM_R16MTR;ZOOM R16 Audio Interface;c:\windows\system32\drivers\zmr16usbaudio.sys --> c:\windows\system32\drivers\zmr16usbaudio.sys [?]

=============== Created Last 30 ================

2010-10-26 09:46:18 -------- d-----w- c:\program files\ewido anti-malware
2010-10-26 09:03:28 160256 ----a-w- c:\docume~1\chrisf~1\applic~1\microsoft\svchost.exe
2010-10-26 02:25:34 388096 ----a-r- c:\docume~1\chrisf~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-26 02:25:33 -------- d-----w- c:\program files\Trend Micro
2010-10-25 05:35:10 -------- d-----w- c:\program files\PS3 Media Server
2010-10-23 09:26:04 205312 ----a-w- c:\docume~1\chrisf~1\applic~1\microsoft\windows\shell.exe

==================== Find3M ====================

2010-10-26 10:58:31 16608 ----a-w- c:\windows\gdrv.sys
2010-10-25 12:22:12 234280 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-10-25 12:22:12 234280 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-22 11:27:33 112 ----a-w- c:\windows\system32\msvcsv60.dll
2010-08-04 01:59:10 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-08-04 01:59:00 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-08-04 01:57:40 4358144 ----a-w- c:\windows\system32\aticaldd.dll
2010-08-04 01:53:22 15900672 ----a-w- c:\windows\system32\atioglxx.dll
2010-08-04 01:47:50 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-08-04 01:47:00 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-08-04 01:46:04 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-04 01:41:40 3901280 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-04 01:31:16 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-08-04 01:31:04 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-08-04 01:30:56 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-08-04 01:30:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-08-04 01:30:38 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-08-04 01:29:26 606208 ----a-w- c:\windows\system32\ati2evxx.exe
2010-08-04 01:28:12 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-08-04 01:28:06 2537728 ----a-w- c:\windows\system32\ativvaxx.dll
2010-08-04 01:27:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-08-04 01:24:04 610304 ----a-w- c:\windows\system32\atikvmag.dll
2010-08-04 01:23:52 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-08-04 01:22:28 188416 ----a-w- c:\windows\system32\atiadlxx.dll
2010-08-04 01:22:08 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-08-04 01:16:50 700416 ----a-w- c:\windows\system32\ati2cqag.dll
2010-08-04 01:15:20 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-08-04 01:15:20 65024 ----a-w- c:\windows\system32\amdpcom32.dll

============= FINISH: 19:40:50.45 ===============

**peku006** · 2010-10-14, 19:04

Hi chrisfromhell

Download and Run Malwarebytes' Anti-Malware

Please save any items you were working on... close any open programs. You may be asked to reboot your machine.
Please download Malwarebytes Anti-Malware and save it to your desktop. If needed...Tutorial w/screenshots
Alternate download sites available here or here.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
- If an update is found, the program will automatically update itself.
- Press the OK button to close that box and continue.
- Problems downloading the updates? Manually download them from here and double-click on "mbam-rules.exe" to install.

On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please reply with

Malwarebytes' Anti-Malware Log

Thanks peku006

**chrisfromhell** · 2010-10-16, 01:24

Hi Peku,

Thank you for your reply, your time and offering your assistance. It is greatly appreciated. Ok so i have completed the steps above and it looks like malware bytes found alot of stuff none of the programs even detected!

As requested the log is below.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4830

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

30/10/2010 7:15:11 AM
mbam-log-2010-10-30 (07-15-11).txt

Scan type: Full scan (C:\|H:\|)
Objects scanned: 519658
Time elapsed: 2 hour(s), 27 minute(s), 35 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.
C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\adver_id (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\Chrisfromhell\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Chrisfromhell\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe C:\WINDOWS\system32\ntdevice.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

**peku006** · 2010-10-16, 09:11

Hi chrisfromhell

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

**chrisfromhell** · 2010-10-16, 12:59

Done and done. Below is the new log.

ComboFix 10-10-15.03 - Chrisfromhell 30/10/2010 18:06:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2923 [GMT 8:00]
Running from: c:\documents and settings\Chrisfromhell\My Documents\Downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chrisfromhell\Application Data\download2
c:\documents and settings\Chrisfromhell\Application Data\Microsoft\stor.cfg
c:\documents and settings\Chrisfromhell\Local Settings\Temporary Internet Files\firmware.inf
c:\documents and settings\Chrisfromhell\Local Settings\Temporary Internet Files\h-fr.wmv
c:\documents and settings\Chrisfromhell\Local Settings\Temporary Internet Files\ip3picfile.temp
c:\documents and settings\Chrisfromhell\Local Settings\Temporary Internet Files\ip3Wmapic.temp
c:\windows\system32\msvcsv60.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-30 )))))))))))))))))))))))))))))))
.

2010-10-29 10:09 . 2010-10-29 10:09 -------- d-----w- c:\documents and settings\Chrisfromhell\Application Data\Malwarebytes
2010-10-29 10:09 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-29 10:08 . 2010-10-29 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-29 10:08 . 2010-10-29 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-29 10:08 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-27 06:13 . 2010-10-27 06:13 -------- d-----w- c:\documents and settings\Chrisfromhell\Application Data\Safer Networking
2010-10-27 06:12 . 2010-10-30 09:51 -------- d-----w- c:\program files\Safer Networking
2010-10-26 12:34 . 2010-10-26 12:34 2256 ----a-w- c:\documents and settings\Chrisfromhell\Application Data\hyghghjhjghjhj.bat
2010-10-26 02:25 . 2010-10-26 02:25 388096 ----a-r- c:\documents and settings\Chrisfromhell\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-26 02:25 . 2010-10-26 02:25 -------- d-----w- c:\program files\Trend Micro
2010-10-25 05:35 . 2010-10-25 05:35 -------- d-----w- c:\program files\PS3 Media Server
2010-10-25 03:12 . 2010-10-25 03:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-12 18:07 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-12 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-12 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=Digi32.dll
"MIDI"=diomidi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-11 22:08 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-13 23:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2009-12-14 10:40 77824 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-06-24 23:47 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2008-10-31 04:17 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 02:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 07:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-06-27 03:23 16875008 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-06-24 23:47 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NokiaOviSuite2"=c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"fqkmdjwe"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\gtisugrmp\avomssqtssd.exe
"uifdxkhd"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GEST"=m‘|\ü
"H2O"=c:\program files\SyncroSoft\Pos\H2O\cledx.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"AlcWzrd"=ALCWZRD.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DigidesignMMERefresh"=c:\program files\Digidesign\Drivers\MMERefresh.exe
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe"
"fqkmdjwe"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\gtisugrmp\avomssqtssd.exe
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"
"uifdxkhd"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe
"svchost"=c:\documents and settings\Chrisfromhell\Application Data\Microsoft\svchost.exe
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"download"="c:\documents and settings\Chrisfromhell\Application Data\download2\svcnost.exe"
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_cfh\\counter-strike source\\hl2.exe"=
"c:\\DoW2\\DOW2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_cfh\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [21/11/2008 7:15 PM 464264]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/02/2010 12:12 AM 16400]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [21/11/2008 6:37 PM 80392]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [10/02/2009 5:42 PM 33792]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/02/2010 12:12 AM 85008]
S3 iLokDrvr;Usb Driver;c:\windows\system32\drivers\iLokDrvr.sys [23/12/2009 11:36 AM 54328]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys --> c:\windows\system32\DRIVERS\MBX2DFU.sys [?]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys --> c:\windows\system32\drivers\mbx2midk.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [24/04/2010 5:53 PM 137344]
S3 ZOOM_R16MTR;ZOOM R16 Audio Interface;c:\windows\system32\Drivers\zmr16usbaudio.sys --> c:\windows\system32\Drivers\zmr16usbaudio.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [23/11/2008 4:41 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 08:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\Vuze.job
- c:\progra~1\Vuze\Azureus.exe [2008-11-21 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = "hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chrisfromhell\Application Data\Mozilla\Firefox\Profiles\vxwogjq7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Chrisfromhell\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Load - c:\docume~1\CHRISF~1\LOCALS~1\Temp\dwm.exe
MSConfigStartUp-NokiaMusic FastStart - c:\program files\Nokia\Nokia Music\NokiaMusic.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-svchost - c:\documents and settings\Chrisfromhell\Application Data\Microsoft\svchost.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\\vptray.exe

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1844237615-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:45,4d,3c,4a,40,2b,bb,a6,da,b3,c6,49,68,27,c3,36,67,1e,e6,fa,9e,
c5,02,ec,f1,29,66,d7,b8,ac,91,53,f4,ba,70,c8,aa,aa,52,fa,9b,2c,95,71,ce,24,\
"rkeysecu"=hex:ec,aa,4d,bc,97,00,87,a0,75,06,d2,e4,81,9d,23,f2
.
Completion time: 2010-10-30 18:12:10
ComboFix-quarantined-files.txt 2010-10-30 10:12

Pre-Run: 36,992,741,376 bytes free
Post-Run: 37,390,045,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - DD244F1791F85CF404504E02DB99285E

**peku006** · 2010-10-16, 14:05

Hi chrisfromhell

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code:

File::
c:\documents and settings\Chrisfromhell\Application Data\hyghghjhjghjhj.bat
c:\documents and settings\Chrisfromhell\Local Settings\Application Data\gtisugrmp\avomssqtssd.exe
c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"fqkmdjwe"=-
"uifdxkhd"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"fqkmdjwe"=-
"uifdxkhd"=-"

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Thanks peku006

**chrisfromhell** · 2010-10-17, 05:50

Hi Peku

Here is the latest log

ComboFix 10-10-16.03 - Chrisfromhell 17/10/2010 10:48:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2935 [GMT 8:00]
Running from: c:\documents and settings\Chrisfromhell\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Chrisfromhell\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\documents and settings\Chrisfromhell\Application Data\hyghghjhjghjhj.bat"
"c:\documents and settings\Chrisfromhell\Local Settings\Application Data\gtisugrmp\avomssqtssd.exe"
"c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chrisfromhell\Application Data\hyghghjhjghjhj.bat
c:\windows\system32\msvcsv60.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
.

2010-10-30 11:24 . 2004-03-04 15:46 83168 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-30 11:24 . 2004-03-04 15:46 82832 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-29 10:09 . 2010-10-29 10:09 -------- d-----w- c:\documents and settings\Chrisfromhell\Application Data\Malwarebytes
2010-10-29 10:09 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-29 10:08 . 2010-10-29 10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-29 10:08 . 2010-10-29 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-29 10:08 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-27 06:13 . 2010-10-27 06:13 -------- d-----w- c:\documents and settings\Chrisfromhell\Application Data\Safer Networking
2010-10-27 06:12 . 2010-10-30 09:51 -------- d-----w- c:\program files\Safer Networking
2010-10-26 02:25 . 2010-10-26 02:25 388096 ----a-r- c:\documents and settings\Chrisfromhell\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-26 02:25 . 2010-10-26 02:25 -------- d-----w- c:\program files\Trend Micro
2010-10-25 05:35 . 2010-10-25 05:35 -------- d-----w- c:\program files\PS3 Media Server
2010-10-25 03:12 . 2010-10-25 03:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-30_10.11.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-31 02:30 . 2010-10-31 02:30 16384 c:\windows\Temp\Perflib_Perfdata_274.dat
+ 2010-10-31 02:30 . 2010-10-31 02:30 16384 c:\windows\Temp\Perflib_Perfdata_248.dat
+ 2003-12-17 01:11 . 2003-12-17 01:11 65590 c:\windows\system32\pds.dll
+ 2003-12-17 01:11 . 2003-12-17 01:11 77875 c:\windows\system32\nts.dll
+ 2004-07-07 11:29 . 2004-07-07 11:29 83272 c:\windows\system32\NavLogon.dll
+ 2002-01-04 19:38 . 2002-01-04 19:38 54784 c:\windows\system32\msvci70.dll
+ 2003-12-17 01:11 . 2003-12-17 01:11 41017 c:\windows\system32\msgsys.dll
+ 1998-03-04 03:47 . 1998-03-04 03:47 77824 c:\windows\system32\loc32vc0.dll
+ 2004-06-11 10:28 . 2004-06-11 10:28 16280 c:\windows\system32\drivers\symredrv.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 51544 c:\windows\system32\drivers\symndis.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 46520 c:\windows\system32\drivers\symids.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 11000 c:\windows\system32\drivers\symdns.sys
+ 2003-12-17 01:11 . 2003-12-17 01:11 28723 c:\windows\system32\cba.dll
+ 2002-01-04 18:18 . 2002-01-04 18:18 84992 c:\windows\system32\atl70.dll
+ 2010-10-30 11:24 . 2010-10-30 11:24 40960 c:\windows\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-11-21 10:36 . 2010-10-31 02:30 16608 c:\windows\gdrv.sys
- 2008-11-21 10:36 . 2010-10-30 09:56 16608 c:\windows\gdrv.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 115928 c:\windows\system32\SymRedir.dll
+ 2004-06-11 10:28 . 2004-06-11 10:28 509144 c:\windows\system32\SymNeti.dll
+ 2002-01-04 19:37 . 2002-01-04 19:37 344064 c:\windows\system32\msvcr70.dll
+ 2002-01-04 19:40 . 2002-01-04 19:40 487424 c:\windows\system32\msvcp70.dll
+ 2004-06-11 10:28 . 2004-06-11 10:28 263736 c:\windows\system32\drivers\symtdi.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 170200 c:\windows\system32\drivers\SymIDSCo.sys
+ 2004-06-11 10:28 . 2004-06-11 10:28 166136 c:\windows\system32\drivers\symfw.sys
+ 2010-10-30 11:24 . 2010-10-30 11:24 4835840 c:\windows\Installer\510c8e.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-12 18:07 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-12 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-12 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-07-07 124232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=Digi32.dll
"MIDI"=diomidi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-11 22:08 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-13 23:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2009-12-14 10:40 77824 ----a-w- c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-06-24 23:47 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2008-10-31 04:17 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 02:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 07:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-06-27 03:23 16875008 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-06-24 23:47 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NokiaOviSuite2"=c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GEST"=m‘|\ü
"H2O"=c:\program files\SyncroSoft\Pos\H2O\cledx.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"AlcWzrd"=ALCWZRD.EXE
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DigidesignMMERefresh"=c:\program files\Digidesign\Drivers\MMERefresh.exe
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe"
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe"
"uifdxkhd"=c:\documents and settings\Chrisfromhell\Local Settings\Application Data\resnisqqv\gnjromptssd.exe
"svchost"=c:\documents and settings\Chrisfromhell\Application Data\Microsoft\svchost.exe
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"download"="c:\documents and settings\Chrisfromhell\Application Data\download2\svcnost.exe"
"SoundMan"=SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_cfh\\counter-strike source\\hl2.exe"=
"c:\\DoW2\\DOW2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_cfh\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [21/11/2008 7:15 PM 464264]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [11/02/2010 12:12 AM 16400]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [21/11/2008 6:37 PM 80392]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [10/02/2009 5:42 PM 33792]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [11/02/2010 12:12 AM 85008]
R3 iLokDrvr;Usb Driver;c:\windows\system32\drivers\iLokDrvr.sys [23/12/2009 11:36 AM 54328]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys --> c:\windows\system32\DRIVERS\MBX2DFU.sys [?]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys --> c:\windows\system32\drivers\mbx2midk.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [24/04/2010 5:53 PM 137344]
S3 ZOOM_R16MTR;ZOOM R16 Audio Interface;c:\windows\system32\Drivers\zmr16usbaudio.sys --> c:\windows\system32\Drivers\zmr16usbaudio.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [23/11/2008 4:41 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 08:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\Vuze.job
- c:\progra~1\Vuze\Azureus.exe [2008-11-21 13:53]
.
.
------- Supplementary Scan -------
.
uStart Page = "hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chrisfromhell\Application Data\Mozilla\Firefox\Profiles\vxwogjq7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Chrisfromhell\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1844237615-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:45,4d,3c,4a,40,2b,bb,a6,da,b3,c6,49,68,27,c3,36,67,1e,e6,fa,9e,
c5,02,ec,f1,29,66,d7,b8,ac,91,53,f4,ba,70,c8,aa,aa,52,fa,9b,2c,95,71,ce,24,\
"rkeysecu"=hex:ec,aa,4d,bc,97,00,87,a0,75,06,d2,e4,81,9d,23,f2
.
Completion time: 2010-10-17 10:55:12
ComboFix-quarantined-files.txt 2010-10-17 02:55
ComboFix2.txt 2010-10-30 10:12

Pre-Run: 36,565,831,680 bytes free
Post-Run: 36,547,354,624 bytes free

- - End Of File - - 6D131CC55366C4176B37B9E1B29E9065

**peku006** · 2010-10-17, 08:36

Hi chrisfromhell

Please download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here. Post also fresh dds logs.

Note** you may get this warning it is ok, just ignore

Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?

Thanks peku006

**chrisfromhell** · 2010-10-17, 15:53

Hi Peku

Below and attached are the logs as requested. I am no longer getting re-directed and performance has improved.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0xB8DB5000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5582848 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xAC634000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4915200 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0xBF216000 C:\WINDOWS\System32\ati3duag.dll 3903488 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF9C4000 C:\WINDOWS\System32\ativvaxx.dll 2539520 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2142208 bytes
0x804D7000 RAW 2142208 bytes
0x804D7000 WMIxWDM 2142208 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB8C51000 C:\WINDOWS\system32\drivers\dalwdm.sys 823296 bytes (Avid, Inc. All rights reserved., 32-bit Abstraction Layer Driver)
0xBF060000 C:\WINDOWS\System32\ati2cqag.dll 700416 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF10B000 C:\WINDOWS\System32\atikvmag.dll 679936 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xAC4F1000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040213.016\navex15.sys 593920 bytes (Symantec Corporation, AV Engine)
0xB9E04000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAC1BE000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0xAC262000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF1B1000 C:\WINDOWS\System32\atiok3x2.dll 413696 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component)
0xAC449000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB8B8B000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0xA904D000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xAC595000 C:\Program Files\Symantec AntiVirus\savrt.sys 323584 bytes (Symantec Corporation, AutoProtect)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA8A01000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAC409000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 262144 bytes (Symantec Corporation, Network Dispatch Driver)
0xB8BE4000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA91C8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DD7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA596E000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAC2D2000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAC31F000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB8D7C000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA5BCC000 C:\WINDOWS\system32\drivers\PnkBstrK.sys 147456 bytes
0xB8D58000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8D35000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAC2FD000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAC3E7000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 139264 bytes (Microsoft Corporation, IP Network Address Translator)
0xACAE4000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x806E2000 ACPI_HAL 134400 bytes
0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9EBB000 TPkd.sys 122880 bytes (PACE Anti-Piracy, Inc., InterLok system file)
0xAC4B5000 C:\WINDOWS\system32\drivers\InCDFs.sys 114688 bytes (Nero AG, InCD File System Driver)
0xACB06000 C:\WINDOWS\system32\drivers\AtiHdmi.sys 110592 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)
0xB8D1A000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 110592 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB9DBD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAC1A6000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EA4000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8C26000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA8CF0000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8C3D000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB8DA1000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAC4A2000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xAC582000 C:\Program Files\Symantec\SYMEVENT.SYS 77824 bytes (Symantec Corporation, Symantec Event Librar

DDS (Ver_10-10-10.03) - NTFSx86
Run by Chrisfromhell at 21:51:36.84 on Sun 17/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2885 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chrisfromhell\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = "hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
StartupFolder: c:\docume~1\chrisf~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrisf~1\applic~1\mozilla\firefox\profiles\vxwogjq7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\chrisfromhell\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\pace anti-piracy\ilok\NPPaceILok.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2008-11-21 464264]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2010-2-11 16400]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-11-21 80392]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-7-7 1267024]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-2-10 33792]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2010-2-11 85008]

**peku006** · 2010-10-17, 16:19

Hi chrisfromhell

I am no longer getting re-directed and performance has improved.

I like good news

TFC (Temp File Cleaner)

Please download TFC to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.

NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Thanks peku006

Thread: Another coolWWWSEARCH thread - help!

Thread Tools

Display

Another coolWWWSEARCH thread - help!

Posting Permissions