Google Redirect/Random Tabs

When we try and search something via google, often the link will redirect us to another site. Occasionally random tabs/windows will open. Sometimes it is the google site with some addition to the end (after .com, like .com/???/) other times it looks to be spam ads.

I ran both DDS and GMER. I have attached the two DDS logs but when I ran GMER it took around 3+ hours and then I got the BSOD with the title PFN_LIST_CORRUPT.

Thanks for any help.

Edited by uga_dawgs24, 17 June 2010 - 03:30 PM.

Hi uga_dawgs24,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

The condition is still the same. Still have google redirects, still have random popups, random firefox shutting down.

1. Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
   When it finished press Save to save the log and post it to your reply. It will not take more than a minute.
   
   
2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).
   
   Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:
   
   
   CODE
   @echo off
   if exist mbr.log del mbr.log
   mbr.exe -t
   ping 1.1.1.1 -n 1 -w 1000 >nul
   start mbr.log
   
   
   • Go to the File menu at the top of the Notepad and select Save as.
   • Select Save in: desktop
   • Fill in File name: look.bat
   • Save as type: All file types (*.*)
   • Click save.
   • Close the Notepad.
   • Locate look.bat on the desktop. It should look like this:
   • Double-click to run it.
   • A notepad opens, copy and paste the content (log.txt) to your reply.

I have attached the GMER scan log.

When I try and download the MBR file I click on save as as the file says, but it doesn't give em an option of where to gave it. It just goes to the download window. The same thing happened for GMEr and I had to go in and manually move the file to the desktop, which I can't do here since I can't open the file.

No need for the other log.

1. You can set Firefox to give you the option to save the downloads where you want. To do that:
   
   Open Firefox =>under Tools menu click on Options... => under General tab check Always ask me where to save files. Click OK.
   
   
2. We are going to run this special tool.
   • Please download TDSSKiller.exe and save it to your desktop.
   • Run TDSSKiller.exe.
   • When it finished press any key to continue.
   • Let reboot if needed and tell me if it needed a reboot.
   • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.

1. Thanks for showing me that.

2. Ran it and yes it needed a reboot. It said it found a TDSS rootkit and needed to be rebooted to remove it. I have also attached the log.

The rootkit is taken care of and the issue should have been resolved.

But we need to do some additional steps to prevent reinfection.

1. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
   Please unisntall the following:
   
   J2SE Runtime Environment 5.0 Update 6
   
   
2. Open your Malwarebytes' Anti-Malware.
   • First update it, to do that under the Update tab press "Check for Updates".
   • Under Scanner tab select "Perform Quick Scan", then click Scan.
   • When the scan is complete, click OK, then Show Results to view the results.
   • Make sure that everything is checked, and click Remove Selected.
   • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
   • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
   • Copy&Paste the MBAM log.
   
   Extra Note:
   If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
   
   
3. You AVG is not upgraded to to AVG 9 and this is a security risk. Do you have a subscription? Do you want to install a free version of AVG or free another antivirus? To upgrade you should download the latest version but not install it. Uninstall the old version and then install the downloaded version. Please tell me what you are going to do about it.

Here is the scan:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4225

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/22/2010 1:11:55 PM
mbam-log-2010-06-22 (13-11-55).txt

Scan type: Quick scan
Objects scanned: 164066
Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


In regards to AVG, we have a subscription. It expires the end up September. Is there a way to upgrade it without buying the new one quite yet? Or would we be better off just downloading the free one as well?

Some antivirus vendors upgrade for free. You may contact AVG support or AVG forum.

There are still some entries on DDS log, they might be leftovers but we have to make sure.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
• Double click on ComboFix.exe & follow the prompts.
• You will get a warning about the not trusted download sites for ComboFix, click Yes.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

ComboFix 10-06-22.02 - Sally 06/22/2010 16:52:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1291 [GMT -4:00]
Running from: c:\documents and settings\Sally\Desktop\ComboFix.exe
AV: AVG Internet Security 3-pack *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sally\GoToAssistDownloadHelper.exe
c:\documents and settings\Sally\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Sally\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\xpsp1hfm.log
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-14 12:39 . 2010-06-14 12:38 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-11 12:39 . 2010-06-11 12:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-06-11 00:31 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-11 00:31 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-11 00:31 . 2010-06-11 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 06:24 . 2010-06-09 23:47 -------- d-----w- c:\documents and settings\Sally\Local Settings\Application Data\hrjvway
2010-05-31 11:22 . 2010-05-31 11:22 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb2704.tmp.exe
2010-05-29 11:15 . 2010-05-29 11:15 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1C42.tmp.exe
2010-05-28 13:30 . 2010-05-28 13:30 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1410.tmp.exe
2010-05-27 14:50 . 2010-05-27 14:50 -------- d-----w- c:\documents and settings\Sally\Application Data\VirtualStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-22 19:07 . 2008-08-14 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-22 16:56 . 2008-04-08 23:38 -------- d-----w- c:\program files\Common Files\Java
2010-06-22 14:44 . 2004-08-04 03:59 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-06-19 14:53 . 2009-04-06 15:36 2829 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-06-18 12:20 . 2008-04-27 14:08 -------- d-----w- c:\documents and settings\Sally\Application Data\U3
2010-06-18 09:53 . 2008-04-20 19:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-17 14:33 . 2008-04-08 23:47 -------- d-----w- c:\program files\Google
2010-06-15 20:32 . 2008-04-08 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-14 12:38 . 2008-04-08 23:38 -------- d-----w- c:\program files\Java
2010-06-12 12:52 . 2008-04-10 21:31 73600 ----a-w- c:\documents and settings\Sally\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-11 00:23 . 2010-04-29 23:56 -------- d-----w- c:\program files\NCH Software
2010-06-11 00:21 . 2010-04-29 23:56 -------- d-----w- c:\documents and settings\Sally\Application Data\NCH Software
2010-05-30 15:15 . 2008-05-24 02:02 -------- d-----w- c:\program files\Coupons
2010-05-26 22:33 . 2008-04-08 23:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 22:33 . 2009-04-09 12:34 -------- d-----w- c:\documents and settings\Sally\Application Data\Cogniview
2010-05-26 22:33 . 2009-04-09 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Cogniview
2010-05-26 22:32 . 2008-04-08 23:47 -------- d-----w- c:\program files\Dell
2010-05-26 22:30 . 2010-04-29 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-05-23 07:33 . 2010-05-23 07:33 61440 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63693c37-n\decora-sse.dll
2010-05-23 07:33 . 2010-05-23 07:33 503808 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\msvcp71.dll
2010-05-23 07:33 . 2010-05-23 07:33 499712 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\jmc.dll
2010-05-23 07:33 . 2010-05-23 07:33 348160 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-32bde041-n\msvcr71.dll
2010-05-23 07:33 . 2010-05-23 07:33 12800 ----a-w- c:\documents and settings\Sally\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-63693c37-n\decora-d3d.dll
2010-05-09 16:55 . 2010-05-09 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2010-04-06 11:16 . 2009-04-12 18:46 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-06 11:16 . 2009-04-12 18:46 1352968 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 68856]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2009-07-01 81920]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2009-07-01 167936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-17 2046816]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"BellSouthReportingAgent"="c:\program files\Common Files\Motive\McciBootStrapper.exe" [2004-06-25 204800]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-8 24576]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-2 984352]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-30 13:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/19/2009 8:11 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2009 8:11 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2009 8:11 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/24/2009 8:53 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/19/2009 8:11 PM 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/24/2009 8:53 AM 1370488]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/19/2009 8:10 PM 29208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/20/2009 7:55 PM 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/19/2009 8:10 PM 29208]
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-07-13 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8207863851.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]

2010-06-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-08 11:46]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 23:54]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-20 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wsbtv.com/index.html
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_AE31856476A4FE41.dll/cmsidewiki.html
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Sally\Application Data\Mozilla\Firefox\Profiles\kdlp4qhg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wsbtv.com/index.html
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-wrqxhrehbmqpqx - c:\documents and settings\sally\local settings\application data\hrjvway\lfjhcwu.exe
HKLM-Run-wrqxhrehbmqpqx - c:\documents and settings\sally\local settings\application data\hrjvway\lfjhcwu.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 17:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\WININET.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopCommon.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-06-22 17:07:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 21:07

Pre-Run: 466,297,982,976 bytes free
Post-Run: 466,799,267,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DFE20729B6819DC6981B66FF16E48078

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:

• Go to the File menu at the top of the Notepad and select Save as.
• Select Save in: desktop
• Fill in File name: look.bat
• Save as type: All file types (*.*)
• Click save.
• Close the Notepad.
• Locate look.bat on the desktop. It should look like this:
• Double-click to run it.
• A notepad opens, copy and paste the content (log.txt) to your reply.

When the log popped up there was nothing in it. It says log but the notepad itself is completely blank.

It looks good.

1. It is important to uninstall ComboFix.
   
   Go to Start => Run => copy and paste next command in the field then hit enter:
   
   ComboFix /Uninstall
   
   This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
   
   It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.
   
   
2. You may delete any tool or log we used from your computer.

Happy Surfing uga_dawgs24.

Thanks.

When I tried to unistall combofix I got a lot of little popups saying it couldn't do something, I forgot what they said. It seems to be gone now.

There seems to be a new problem though. My sound is not working now. I have just noticed this happen after I removed combofix and some of the other stuff. Sounds is turned on, it just isn't working.

Here is another dds log if it might help.