21 replies to this topic

[diageminc]

Please help, google searches are getting redirected to unrelated sites, MBAM log found below shows no issues, HJT log copied below

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/8/2009 1:38:22 PM
mbam-log-2009-04-08 (13-38-22).txt

Scan type: Quick Scan
Objects scanned: 83876
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:49 PM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\EZBackitup\EZBkuptray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Perfect Keyboard\PK32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\RemoteView\RemoteView.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.ebay....outme/diageminc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe
O4 - Startup: Shortcut to PK32.lnk = C:\Program Files\Perfect Keyboard\PK32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.co...er/3.2/ebie.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - http://cs8b.instants...erxsigned42.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://promero.webe...bex/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - http://192.168.0.200/cab/RPB.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6945 bytes

[miekiemoes]

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  
• Once the updates are downloaded, perform a full scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[diageminc]

Hello,

here is the fresh MBAM log and HJT log, on a side note there is a folder called "viewpoint" under program files, when i tried to open the folder it does not open, when i tried to delete the folder it gives some type of a "redundant cyclic error" and MBAM scan takes a long time to scan this particular folder


Malwarebytes' Anti-Malware 1.36
Database version: 1958
Windows 5.1.2600 Service Pack 3

4/10/2009 9:16:44 AM
mbam-log-2009-04-10 (09-16-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 228181
Time elapsed: 2 hour(s), 25 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\loader[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\ftp[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\loader[1].exe (Trojan.Small) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\ftp[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:16 AM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\EZBackitup\EZBkuptray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Perfect Keyboard\PK32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\RemoteView\RemoteView.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.ebay....outme/diageminc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [EZBack-it-up Tray Scheduler] C:\Program Files\EZBackitup\EZBkuptray.exe
O4 - Startup: Shortcut to PK32.lnk = C:\Program Files\Perfect Keyboard\PK32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.co...er/3.2/ebie.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - http://cs8b.instants...erxsigned42.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/...he.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://promero.webe...bex/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup155.cab
O16 - DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - http://192.168.0.200/cab/RPB.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6995 bytes

miekiemoes, on Apr 9 2009, 11:52 AM, said:

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  
• Once the updates are downloaded, perform a full scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[miekiemoes]

Hi,

Delete the Viewpoint folder from Windows safe mode. It's just a leftover related with Viewpoint media player. If it's present or not, it's no issue...

Your logs look clean again. Let me know in your next reply how things are now.
By the way, please install an Antivirus, because nothing is currently preventing malware.

[diageminc]

hi,

The issue persists, google search are getting redirected

a bit confused about the AntiVirus suggestion, i have bought Malware and it is currently setup to start in system tray, will that not protect?

please advise

miekiemoes, on Apr 10 2009, 10:14 PM, said:

Hi,

Delete the Viewpoint folder from Windows safe mode. It's just a leftover related with Viewpoint media player. If it's present or not, it's no issue...

Your logs look clean again. Let me know in your next reply how things are now.
By the way, please install an Antivirus, because nothing is currently preventing malware.

[miekiemoes]

Hi,

MalwareBytes is not really an Antivirus. That's why you need an Antivirus.

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

[diageminc]

thanks here is the report from avira




Avira AntiVir Personal
Report file date: Monday, April 13, 2009 09:43

Scanning for 1347764 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Amit
Computer name : AMITNEWCOMP

Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 20:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:33:26
ANTIVIR2.VDF : 7.1.3.0 1330176 Bytes 4/1/2009 17:39:18
ANTIVIR3.VDF : 7.1.3.43 178688 Bytes 4/13/2009 17:39:19
Engineversion : 8.2.0.138
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/28/2009 01:36:42
AESCRIPT.DLL : 8.1.1.73 373114 Bytes 4/13/2009 17:39:31
AESCN.DLL : 8.1.1.10 127348 Bytes 4/13/2009 17:39:30
AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 02:24:41
AEPACK.DLL : 8.1.3.12 397687 Bytes 4/13/2009 17:39:29
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 04:01:56
AEHEUR.DLL : 8.1.0.114 1700214 Bytes 4/13/2009 17:39:27
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 04:01:56
AEGEN.DLL : 8.1.1.33 340340 Bytes 4/13/2009 17:39:22
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40
AECORE.DLL : 8.1.6.7 176502 Bytes 4/13/2009 17:39:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 15:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 19:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 23:55:12

Configuration settings for the scan:
Jobname.............................: Local Drives
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldrives.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, A:, D:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, April 13, 2009 09:43

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'PK32.EXE' - '1' Module(s) have been scanned
Scan process 'sqlmangr.exe' - '1' Module(s) have been scanned
Scan process 'EZBkuptray.exe' - '1' Module(s) have been scanned
Scan process 'mbamgui.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'QBCFMonitorService.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '55' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\America Online 8.0\AdminChk1.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Program Files\Trend Micro\Internet Security(2)\Quarantine\rdl2.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security(2)\Quarantine\rdl2.tmp
[DETECTION] Contains recognition pattern of the RKIT/Agent.AIUL root kit
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000065.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\Mpahifoha.dll
[DETECTION] Is the TR/Agent.assk Trojan
C:\WINDOWS\SYSTEM32\AlxRes.dll.bak
[DETECTION] Contains recognition pattern of the ADSPY/AlexaBar.A.13 adware or spyware
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\lich[1].exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\zk[1].exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\main[1].exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\serv[1].exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\zn[1].exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'A:\'
Search path A:\ could not be opened!
System error [21]: The device is not ready.
Begin scan in 'D:\'
Search path D:\ could not be opened!
System error [21]: The device is not ready.
Begin scan in 'E:\'
Search path E:\ could not be opened!
System error [21]: The device is not ready.

Beginning disinfection:
C:\Program Files\America Online 8.0\AdminChk1.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a508a9b.qua'!
C:\Program Files\Trend Micro\Internet Security(2)\Quarantine\rdl2.tmp
[NOTE] The file was moved to '4a4f8a9c.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000065.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a138a68.qua'!
C:\WINDOWS\Mpahifoha.dll
[DETECTION] Is the TR/Agent.assk Trojan
[NOTE] The file was moved to '4a448aa8.qua'!
C:\WINDOWS\SYSTEM32\AlxRes.dll.bak
[DETECTION] Contains recognition pattern of the ADSPY/AlexaBar.A.13 adware or spyware
[NOTE] The file was moved to '4a5b8aa4.qua'!
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4BSPEZOF\lich[1].exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a468aa1.qua'!
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\zk[1].exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4a3e8aa3.qua'!
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\main[1].exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a4c8a99.qua'!
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\serv[1].exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a558a9d.qua'!
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\zn[1].exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a3e8aa6.qua'!


End of the scan: Monday, April 13, 2009 10:53
Used time: 1:08:57 Hour(s)

The scan has been done completely.

10077 Scanned directories
485165 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
485153 Files not concerned
3534 Archives were scanned
2 Warnings
12 Notes

miekiemoes, on Apr 13 2009, 05:21 PM, said:

Hi,

MalwareBytes is not really an Antivirus. That's why you need an Antivirus.

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

[miekiemoes]

Hi,

Are you still having problems?

[diageminc]

hi unfortunately the problem is still there, i just did a search and it redirected the site to something else

miekiemoes, on Apr 13 2009, 07:00 PM, said:

Hi,

Are you still having problems?

[diageminc]

forgot to mention that the redirect occurs only on the first try, after that it does take you to the correct site

diageminc, on Apr 13 2009, 07:07 PM, said:

hi unfortunately the problem is still there, i just did a search and it redirected the site to something else

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[diageminc]

Please find the ComboFix log here, i appreciate your help

ComboFix 09-04-14.09 - Amit 04/14/2009 9:41.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.631 [GMT -8:00]
Running from: c:\documents and settings\Amit\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2012-12-12 12:12 . 2012-12-12 12:12 65536 ------w c:\windows\system32\MSRTEDIT.DLL
2012-12-12 12:12 . 2012-12-12 12:12 1221464 ------w c:\windows\system32\IMMC.EXE
2009-04-13 17:36 . 2009-02-13 19:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-13 17:35 . 2009-04-13 17:35 -------- d-----w c:\program files\Avira
2009-04-13 17:35 . 2009-04-13 17:35 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-03-23 20:51 . 2009-03-23 20:51 -------- d-----w c:\documents and settings\Amit\Application Data\InstallShield Installation Information
2009-03-23 20:51 . 2009-03-23 20:55 -------- d-----r c:\program files\CMS Products

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 22:01 . 2005-06-09 20:24 -------- d-----w c:\program files\America Online 8.0
2009-04-09 19:45 . 2004-05-10 22:32 -------- d-----w c:\program files\Common Files\AOL
2009-04-09 19:44 . 2007-03-29 00:00 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-09 19:44 . 2008-07-18 20:12 -------- d-----w c:\program files\QuickTime
2009-04-09 19:44 . 2004-05-10 22:31 -------- d-----w c:\program files\Modem Helper
2009-04-09 19:44 . 2005-01-14 22:25 -------- d-----w c:\program files\Galaxy
2009-04-09 19:44 . 2004-06-10 00:44 -------- d-----w c:\program files\DMMultiView
2009-04-09 19:44 . 2005-01-12 18:07 -------- d-----w c:\program files\Common Files\aolshare
2009-04-09 19:43 . 2008-04-04 23:04 -------- d-----w c:\program files\Audible
2009-04-09 19:43 . 2005-01-13 22:34 -------- d-----w c:\program files\America Online 7.0
2009-04-08 21:33 . 2009-02-25 21:16 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 23:32 . 2009-02-25 21:43 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 23:32 . 2009-02-25 21:43 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-10 17:42 . 2009-02-25 19:51 -------- d-----w c:\program files\Trend Micro
2009-03-09 16:18 . 2007-02-23 20:22 -------- d-----w c:\documents and settings\Amit\Application Data\Corel
2009-02-26 19:26 . 2009-02-26 19:26 -------- d-----w c:\program files\BannerDesignerPro
2009-02-26 18:13 . 2009-02-26 18:13 -------- d-----w c:\program files\EZBackitup
2009-02-25 22:17 . 2009-02-25 22:17 -------- d-----w c:\program files\CCleaner
2009-02-25 21:52 . 2009-02-25 21:52 -------- d-----w c:\documents and settings\Administrator.AMITNEWCOMP\Application Data\Malwarebytes
2009-02-25 21:43 . 2009-02-25 21:43 -------- d-----w c:\documents and settings\Amit\Application Data\Malwarebytes
2009-02-25 21:38 . 2009-02-25 19:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-25 21:16 . 2009-02-25 21:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 19:12 . 2009-02-25 19:12 -------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2009-02-09 11:13 . 2008-10-16 16:44 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2003-07-15 21:01 1846784 ------w c:\windows\SYSTEM32\win32k.sys
2009-01-28 18:02 . 2005-11-23 19:43 60744 ----a-w c:\documents and settings\Amit\g2mdlhlpx.exe
2009-01-17 05:35 . 2006-05-19 15:08 3594752 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-07-16 22:09 . 2004-06-05 19:33 74744 ----a-w c:\documents and settings\Amit\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-04-21 16:50 . 2006-04-21 16:50 630784 ----a-w c:\documents and settings\Amit\chatlnk.exe
2005-01-14 22:31 . 2005-01-14 22:31 127 ----a-w c:\documents and settings\Amit\Local Settings\Application Data\fusioncache.dat
2004-05-10 22:41 . 2009-02-25 21:45 40080 ----a-w c:\documents and settings\Administrator.AMITNEWCOMP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-05-10 22:41 . 2009-02-25 19:07 40080 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"= "c:\windows\system32\ieframe.dll" [2008-12-20 6066688]

[HKEY_CLASSES_ROOT\clsid\{f2cf5485-4e02-4f68-819c-b92de9277049}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"EZBack-it-up Tray Scheduler"="c:\program files\EZBackitup\EZBkuptray.exe" [2004-06-04 631808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\Amit\Start Menu\Programs\Startup\
Shortcut to PK32.lnk - c:\program files\Perfect Keyboard\PK32.EXE [2004-6-5 647168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2008-12-20 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 19:01 8704 ------w c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv50"= c:\windows\ir50_32.dll
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.GEOX"= c:\windows\GeoCodec.dll
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.mp42"= c:\windows\Mpg4c32.dll
"vidc.mp43"= c:\windows\Mpg4c32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLRebootNeeded]
/s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLToolbarDirRemoval]
rd [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-10-01 20:57 111936 ----a-w c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 06:04 114741 ------w c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ------w c:\windows\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-21 00:34 213936 ----a-w c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-03-21 00:34 213936 ----a-w c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-03-21 00:34 86960 ----a-w c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-02 02:57 289576 ----a-w c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-10-06 15:05 53248 ----a-w c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2002-11-08 07:22 4243456 ------w c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 23:09 413696 ----a-w c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 08:01 110592 ----a-w c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-31 00:45 313472 ----a-r c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
2002-11-08 07:22 770117 ------w c:\windows\SYSTEM32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2002-11-08 07:22 315392 ------w c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AdobeActiveFileMonitor5.0"=2 (0x2)
"NTService1"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 8.0\\waol.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WinAw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\RemoteView\\BcastTcp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1678:UDP"= 1678:UDP:Windows Media Format SDK (firefox.exe)
"1679:UDP"= 1679:UDP:Windows Media Format SDK (firefox.exe)
"1684:UDP"= 1684:UDP:Windows Media Format SDK (firefox.exe)
"1685:UDP"= 1685:UDP:Windows Media Format SDK (firefox.exe)
"1696:UDP"= 1696:UDP:Windows Media Format SDK (firefox.exe)
"1697:UDP"= 1697:UDP:Windows Media Format SDK (firefox.exe)

R3 AvFlt;Antivirus Filter Driver; [x]
R3 SQLAgent$SHIPWORKS;SQLAgent$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlagent.EXE [2002-12-18 311872]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-06 108289]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S2 MSSQL$SHIPWORKS;MSSQL$SHIPWORKS;c:\program files\Microsoft SQL Server\MSSQL$SHIPWORKS\Binn\sqlservr.exe [2002-12-18 7520337]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]

.
Contents of the 'Scheduled Tasks' folder

2004-06-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
- - - - ORPHANS REMOVED - - - -

SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://members.ebay.com/aboutme/diageminc
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\SYSTEM32\mscoree.dll
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://promero.webex.com/client/T23L/webex/ieatgpc.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup155.cab
DPF: {E84E5574-FAE4-4EE2-877D-092AFF688F21} - hxxp://192.168.0.200/cab/RPB.cab
FF - ProfilePath - c:\documents and settings\Amit\Application Data\Mozilla\Firefox\Profiles\default.5b1\
FF - prefs.js: browser.startup.homepage - hxxp://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&userid=diageminc
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 09:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2028)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\program files\Perfect Keyboard\keydll.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 17:45
ComboFix2.txt 2009-04-14 17:30
ComboFix3.txt 2009-03-12 18:00

Pre-Run: 39,588,352,000 bytes free
Post-Run: 39,573,938,176 bytes free

220 --- E O F --- 2009-03-14 00:23

miekiemoes, on Apr 14 2009, 12:24 AM, said:

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[miekiemoes]

Hi,

Please let me know to what sites it redirects. Is it in the searchresults you see it? Or is it when you click the links?
Also, do you have it in IE and Firefox together? This is really important to know.

Also, can you explain how comes that some legitimate files are having a much later datestamp?

2012-12-12 12:12 . 2012-12-12 12:12 65536 ------w c:\windows\system32\MSRTEDIT.DLL
2012-12-12 12:12 . 2012-12-12 12:12 1221464 ------w c:\windows\system32\IMMC.EXE

This is important to know, because if you did something to hack / crack certain software (office for example), then you should tell me, otherwise it will make it us more complicated.

Some other things I noticed that don't make sense though..

Quote

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"= "c:\windows\system32\ieframe.dll" [2008-12-20 6066688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2008-12-20 233472]

- - - - ORPHANS REMOVED - - - -

SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll

Those shouldn't be listed in a Combofix log in the first place. Have you been tinkering yourself with the registry etc?

[diageminc]

hi,

1. It redirects when i click on the links (the search results themselves are fine) , the sites it mostly redirects to are "search" type of sites such as topica, toseek, findstuff.com etc. somehow it recognizes the search term are product type of searches and then it assumes that i want to buy those type of products, and as mentioned previously it does not redirect all the time, if i click on the same link again then it does take me to the legitimate site.


2. I have IE and Firefox together, most of the time i use firefox only, but certain sites are not firefox friendly so for those sites i open up IE

3. Not sure why the files have a later datestamp, i am using cracked version photoshop and office

miekiemoes, on Apr 14 2009, 06:38 PM, said:

Hi,

Please let me know to what sites it redirects. Is it in the searchresults you see it? Or is it when you click the links?
Also, do you have it in IE and Firefox together? This is really important to know.

Also, can you explain how comes that some legitimate files are having a much later datestamp?

2012-12-12 12:12 . 2012-12-12 12:12 65536 ------w c:\windows\system32\MSRTEDIT.DLL
2012-12-12 12:12 . 2012-12-12 12:12 1221464 ------w c:\windows\system32\IMMC.EXE

This is important to know, because if you did something to hack / crack certain software (office for example), then you should tell me, otherwise it will make it us more complicated.

[miekiemoes]

Quote

i am using cracked version photoshop and office

The cracked office explains it.

Still unclear if you're having the problem in both browsers. If only in Firefox, then I know the cause:

1. Please download GooredFix and save it to your Desktop.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
  
• Make sure all instances of Firefox are closed at this point.
  
• Type y at the prompt and press Enter again.
  
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

[diageminc]

HI,

I think the problem is only with Firefox, i am not 100% sure if IE has the same problem or not as i rarely use IE, I did try to do some search via IE and it did take me to the correct sites, so i think the problem is with Firefox, anyways here is the gored log

GooredFix v1.92 by jpshortstuff
Log created at 11:13 on 14/04/2009 running Option #2 (Amit)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{E67740CC-1986-4C00-9422-132985D6CB48}"="C:\Documents and Settings\Amit\Local Settings\Application Data\{E67740CC-1986-4C00-9422-132985D6CB48}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Amit\Local Settings\Application Data\{E67740CC-1986-4C00-9422-132985D6CB48}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

miekiemoes, on Apr 14 2009, 07:03 PM, said:

The cracked office explains it.

Still unclear if you're having the problem in both browsers. If only in Firefox, then I know the cause:

1. Please download GooredFix and save it to your Desktop.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
  
• Make sure all instances of Firefox are closed at this point.
  
• Type y at the prompt and press Enter again.
  
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

[miekiemoes]

Quote

I think the problem is only with Firefox, i am not 100% sure if IE has the same problem or not as i rarely use IE, I did try to do some search via IE and it did take me to the correct sites, so i think the problem is with Firefox, anyways here is the gored log

That's why this was so important to know. Since I suspected it only in Firefox anyway, I already gave you the tool to deal with it either.
Normally redirections should be gone now. Please let me know

[diageminc]

Thanks for your help, i think the issue is solved, can I ask what was the problem?

miekiemoes, on Apr 14 2009, 07:22 PM, said:

That's why this was so important to know. Since I suspected it only in Firefox anyway, I already gave you the tool to deal with it either.
Normally redirections should be gone now. Please let me know

[miekiemoes]

Quote

can I ask what was the problem?

You were also dealing with a search hijacker which installed a hidden extension in your Firefox.
We solved that one now.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[diageminc]

Thanks for all your help, I appreciate the excellent work and help that you have provided .