I have been fighting a losing battle against IE redirects for anything that is linked via a Google search. If I click on something in my favorites, it goes to the correct page. Also, if I copy and paste a url into the browser, it goes to it properly. Only the search links are being hijacked/redirected, and nothing seems to help. I have scanned with Microsoft Security Essentials, Malwarebytes, Super Anti-Spyware, Spybot S & D,... nothing seems to have any effect. I had an alureon infection a while back, but TDSSkiller took it out. I recently had a ramnit.b infection which apparently was the cause for my current problem, although it no longer pops up on MSE scans (it was constantly popping up just on the "live" monitoring). My winlogon.exe file apparently became corrupted, as the pc went into an endless loop of trying to restart, then shutting down because of winlogon having issues. It caused me to have to reinstall (repair) my xp, just to get the pc to function. I then had to reload/install xp service packs. I have had some trouble with winlogon again, but after a couple of tries, the winlogon "failure" windows that pop up don't shut down the pc. Often times, when something nasty has popped up, for seemingly no reason adobe's acrord32.exe has started up out of the blue, which prompted me to try to delete it, but a couple of the files won't delete. I don't know how much of all that is relevant or if I am leaving anything out, but I sure would be grateful if anyone can help me. Much thanks in advance.
Here is the dds.txt (attach.txt and ark.txt are attached).
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 8:45:05.57 on Fri 08/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.295 [GMT -4:00]
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uWindow Title = Microsoft Internet Explorer provided by Comcast
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by Comcast
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: yahoo.com\games
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213142040551
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213143317687
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: sethlp - {0686A401-1ED1-7411-2CC4-0751000741B2} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 65.75.216.6 www.winmx.com err.winmx.com
Hosts: 205.238.40.54 www.winmx.com err.winmx.com
Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-6-11 2560]
S0 wgnqtu;wgnqtu;c:\windows\system32\drivers\efxh.sys --> c:\windows\system32\drivers\efxh.sys [?]
S0 yokmtm;yokmtm;c:\windows\system32\drivers\pcbuaqje.sys --> c:\windows\system32\drivers\pcbuaqje.sys [?]
============== File Associations ===============
regfile=regedit.exe "%1" %*
scrfile="%1" %*
=============== Created Last 30 ================
2010-08-13 12:41:45 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-08-13 07:48:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-13 07:48:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-13 07:33:01 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-08-13 04:39:31 0 d-----w- c:\program files\Trend Micro
2010-08-12 01:40:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-08-11 05:11:55 10841088 ----a-w- c:\windows\system32\OLD2.tmp
2010-08-11 04:38:17 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-11 04:38:17 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-11 04:38:17 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-11 04:38:17 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-11 04:38:17 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-11 04:38:17 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-11 04:38:17 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-11 04:38:07 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-08-11 04:19:58 3558912 -c--a-w- c:\windows\system32\dllcache\moviemk.exe
2010-08-11 04:19:33 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-11 04:17:56 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-11 04:16:04 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-11 04:14:41 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-11 04:14:41 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-11 04:14:33 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-11 04:12:12 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-08-11 04:10:23 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-08-11 04:07:27 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-11 04:07:22 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-08-11 04:05:59 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-11 03:36:20 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-08-11 03:36:20 1307648 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-08-11 03:24:50 19569 ----a-w- c:\windows\005633_.tmp
2010-08-11 01:19:11 0 d-----w- c:\windows\system32\wbem\Repository.001
2010-08-11 00:49:11 7208 ------w- c:\windows\system32\secupd.sig
2010-08-11 00:49:11 4569 ------w- c:\windows\system32\secupd.dat
2010-08-11 00:48:53 57667 ----a-w- c:\windows\system32\ieuinit.inf
2010-08-10 20:27:09 354816 ----a-w- c:\windows\system32\winhttp.dll
2010-08-10 20:27:09 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2010-08-10 20:13:12 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-08-10 10:13:57 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-08-10 10:12:58 57399 -c--a-w- c:\windows\system32\dllcache\cplexe.exe
2010-08-10 10:11:05 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-08-10 10:10:59 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-08-10 10:10:59 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-08-10 10:10:59 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-08-10 10:10:59 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-08-10 10:10:39 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2010-08-10 10:10:39 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2010-08-10 10:10:39 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2010-08-10 10:09:06 53472 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2010-08-10 10:09:06 1929952 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2010-08-10 10:03:07 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-08-10 10:03:07 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-08-10 10:03:07 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-08-10 10:03:07 13312 ----a-w- c:\windows\system32\irclass.dll
2010-08-10 10:02:51 13608 ----a-r- c:\windows\SET45.tmp
2010-08-10 10:02:48 1086182 ----a-r- c:\windows\SET39.tmp
2010-08-09 21:03:06 13646 ----a-w- c:\windows\system32\wpa.bak
2010-08-09 20:48:00 0 d-----w- c:\program files\Online Services
2010-08-09 20:47:54 68608 ----a-w- c:\windows\system32\access.cpl
2010-08-09 20:45:29 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-08-09 20:45:18 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-08-09 20:44:32 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-08-09 20:44:18 870784 ----a-w- c:\windows\system32\ati3d1ag.dll
2010-08-09 20:44:18 201728 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-09 20:44:18 1057760 ----a-w- c:\windows\system32\ati3d2ag.dll
2010-08-09 20:44:17 701440 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-08-09 20:43:04 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-08-09 20:43:04 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-08-09 20:42:39 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-08-09 20:40:50 146432 ----a-w- c:\windows\system\winspool.drv
2010-08-09 20:40:50 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2010-08-09 20:40:48 74752 ----a-w- c:\windows\system32\storprop.dll
2010-08-09 20:40:29 8574 -c--a-w- c:\windows\system32\dllcache\IASNT4.CAT
2010-08-09 20:40:29 797189 -c--a-w- c:\windows\system32\dllcache\NT5IIS.CAT
2010-08-09 20:40:29 7382 -c--a-w- c:\windows\system32\dllcache\OEMBIOS.CAT
2010-08-09 20:40:29 399645 -c--a-w- c:\windows\system32\dllcache\MAPIMIG.CAT
2010-08-09 20:40:29 37484 -c--a-w- c:\windows\system32\dllcache\MW770.CAT
2010-08-09 20:40:29 13472 -c--a-w- c:\windows\system32\dllcache\HPCRDP.CAT
2010-08-09 20:40:22 13608 ----a-r- c:\windows\SETE4.tmp
2010-08-09 20:40:19 1086182 ----a-r- c:\windows\SETD8.tmp
2010-08-09 18:22:32 0 d-----w- c:\program files\riv
2010-07-31 04:00:51 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-31 04:00:18 0 d-----w- c:\docume~1\owner\applic~1\2238815A4506126CA2F10063CB84AB39
==================== Find3M ====================
2010-08-13 09:35:14 2473 --sha-w- c:\windows\system32\mmf.sys
2010-08-10 10:10:12 23388 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:10:44 81920 ------w- c:\windows\system32\ieencode.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2002-03-01 10:15:50 61440 ----a-w- c:\windows\inf\i386\onetUSD.dll
2001-10-02 12:58:36 36864 ----a-w- c:\windows\inf\i386\Wiamicro.dll
2001-09-28 12:00:40 139264 ----a-w- c:\windows\inf\i386\Rtscan.dll
2001-09-27 12:11:10 167936 ----a-w- c:\windows\inf\i386\viceo.dll
2001-01-18 20:13:00 12400 ----a-w- c:\windows\inf\i386\Usbscan.sys
2008-07-23 18:25:11 32768 --sha-w- c:\windows\temp\cookies\index.dat
2008-07-23 18:25:11 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-07-23 18:25:11 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 8:46:00.46 ===============
Pasting in further information from another post. ~ OB
I meant to mention it when I orginally asked for help, and I didn't do anything to it, but Malwarebytes had found a "Malware.trace" that was in my registry in HKEY_CURRENT_USERS-SOFTWARE-WINSERVERS. There is the (default) item, plus ones called "run" with value of 0x00000000 (0), and "TimeGetWork" with a value of 0x0005c419 (377881). Both are of type "REG_DWORD". Not shockingly, it exists in HKEY_USERS as well, but Malwarebytes had only listed it once. Also of note and present in both HKEY sections, and perhaps of more importance, I noticed the folder right below it, which hasn't been picked up by any scanner, is a folder named "wpyyaxbft". Inside it is an item named "id", type REG_SZ, value 78.38 ...and a whole bunch of items of seemingly random letters such as "dkkekrkska". They are all REG_DWORD and have values of 1. I am quite certain these items are all a problem, but haven't done anything to them, again because I was instructed to not delete or install anything. I have seen such names of random/scrambled letters in the startup in msconfig before when having problems, and fighting this one. Perhaps it will help whichever advisor assists me.
Attached Files
Edited by Orange Blossom, 14 August 2010 - 10:54 PM.