I want to start by saying thanks for your time in looking over my problem, you guys are awesome. I am having a problem with my computer automatically redirecting me to different search engines as well as slowed performance and problems getting Firefox to start up initially and Internet Explorer will not come up at all. Symantec Antivirus runs pretty regularly but I noticed after I started having problems that the last autoupdate was in October and when I tried to run liveupdate it said LU1803: LiveUpdate failed while getting your updates. I also have Super anti-spyware and it is not finding anything. I hope this is enough information to begin with. Here is the DDS results and the GMER log.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 21:21:20.46 on Mon 03/21/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1085 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Downloads\rplt1sur.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adupifohah] rundll32.exe "c:\windows\tprpst.dll",Startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [Ayalajijohap] rundll32.exe "c:\windows\edahixusoyaqoxi.dll",Startup
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\CurseClientStartup.ccip
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\sp6ky6n7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {CBF2FE56-8F2E-499C-A72B-8547059192EF} - c:\documents and settings\owner\local settings\application data\{CBF2FE56-8F2E-499C-A72B-8547059192EF}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67656]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-8-22 10384]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-11-11 632792]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-12 38224]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101117.002\naveng.sys [2010-11-18 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101117.002\navex15.sys [2010-11-18 1371184]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-7-30 36608]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-7-30 233472]
S4 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
S4 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [2009-1-12 98984]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-25 24652]
.
=============== Created Last 30 ================
.
2011-03-22 01:05:59 -------- d-----w- c:\program files\Free Window Registry Repair
2011-03-22 00:39:43 -------- d-----w- c:\program files\SpywareBlaster
2011-03-21 02:55:37 -------- d-----w- C:\8fc6e1d1a56167e4575591aa1c7b5a78
2011-02-24 04:34:16 0 ----a-w- c:\windows\Scaluvayadep.bin
2011-02-24 04:34:15 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\{CBF2FE56-8F2E-499C-A72B-8547059192EF}
.
==================== Find3M ====================
.
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200BB-22KEA0 rev.08.05J08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7AB439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a7b17b8]; MOV EAX, [0x8a7b1834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6FC030]
3 CLASSPNP[0xBA188FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000a4[0x8A6FDE98]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A883D98]
\Driver\atapi[0x8A6F76A0] -> IRP_MJ_CREATE -> 0x8A7AB439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200BB-22KEA0_____________________08.05J08#5&60ba549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7AB27F
user & kernel MBR OK
copy of MBR has been found in sector 9 !
copy of MBR has been found in sector 59 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:22:33.29 ===============
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-21 22:34:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD3200BB-22KEA0 rev.08.05J08
Running: rplt1sur.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdrpob.sys
---- System - GMER 1.0.15 ----
SSDT 8A272CB8 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA3630350]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA3630580]
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB4D5B000, 0x230C27, 0xE8000020]
init C:\WINDOWS\SYSTEM32\drivers\samfilt.sys entry point in "init" section [0xA45EAD00]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F8000A
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F9000A
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F7000C
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0305000A
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0306000A
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0326000A
.text C:\WINDOWS\System32\svchost.exe[968] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 0108000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0182000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0183000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0167000C
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0153000A
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0154000A
.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0152000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A78127F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 8A78127F
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200BB-22KEA0_____________________08.05J08#5&60ba549&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 1.0.15 ----