Avatar of thinktechsolutions
thinktechsolutions
Flag for United States of America asked on

Internet explorer keeps redirecting my searches

I'm currently having an issue with internet explorer. AnytimeI got to google or yahoo search and type in something to search bar it keeps redirecting me to different websites. I have ran malware bytes and also superanti spyware nothing is detected. I have attached the hijack this log file. If you can let me know what I should get rid of thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:11 PM, on 2/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_comm_customer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_system_customer.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_host.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_user_customer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\program files\sprint desktop sync\sprint desktop sync.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_user_medium_customer.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Shirley.RANDAZZOBUILDER\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O2 - BHO: (no name) - {20A240AA-A53B-448A-8BA0-3E9558E0E1FA} - c:\windows\system32\baahzri.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\RunServices: [Toolkitssleay32] C:\DOCUME~1\SHIRLE~1.RAN\LOCALS~1\Temp\shhrubob.exe
O4 - HKLM\..\RunServices: [TRIEDITEditing] c:\program files\common files\microsoft shared\triedit\trieditediting.exe
O4 - HKLM\..\RunServices: [hpbtpgLaserJet] c:\program files\hewlett-packard\hp laserjet 1010 series\applicationhpbtpg.exe
O4 - HKLM\..\RunServices: [objectpsObject] c:\program files\common files\installshield\professional\runtime\objectinstallshield.exe
O4 - HKLM\..\RunServices: [InstallShieldobjectps] c:\program files\common files\installshield\professional\runtime\objectinstallshield.exe
O4 - HKLM\..\RunServices: [NaturalComponents] C:\program files\common files\microsoft shared\proof\3082\msgr3esnatural.exe
O4 - HKLM\..\RunServices: [jpegim32Office] C:\program files\common files\microsoft shared\grphflt\jpegim32wpgimp32.exe
O4 - HKLM\..\RunServices: [shhrubob] C:\DOCUME~1\SHIRLE~1.RAN\LOCALS~1\Temp\shhrubob.exe
O4 - HKLM\..\RunServices: [HXDSUIMicrosoft] c:\program files\common files\microsoft shared\help\2052\hxdsuimicrosoft2.05.50727.210.0507272100.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CompanionLink] "c:\program files\sprint desktop sync\sprint desktop sync.exe" -Icon
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251507921815
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1210192126_3b6afe71c6f9e8959c0351ee0c739778&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = randazzobuilders.com
O17 - HKLM\Software\..\Telephony: DomainName = randazzobuilders.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = randazzobuilders.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = randazzobuilders.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = randazzobuilders.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
O20 - Winlogon Notify: ttdxvxio - C:\WINDOWS\SYSTEM32\baahzri.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
O23 - Service: Google Update Service (gupdate1ca15fbffc0b821) (gupdate1ca15fbffc0b821) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sage Service Host (v1.1) (Sage.LS1.ServiceHost.1.1) - Sage Software, Inc. - C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

--
End of file - 11301 bytes

Open in new window

hijackthis.log
Anti-Virus AppsAnti-SpywareWindows XP

Avatar of undefined
Last Comment
younghv

8/22/2022 - Mon
Marcus Capps

Run a MS config, startup,  disable all, reboot. Check for the issue. if it goes away, you have something in your startup that's hijacking your PC. If it doesnt. What website is it sending you to?
RohitBagchi

Hey there,

You seem to have inadvertently installed some malware. Hope your virus protection is upto par. In any case, to recover normal functioning, follow the steps detailed here :

http://www.microsoft.com/protect/terms/hijacking.aspx

And

http://www.browser-hijack.com/

Cheers!
Muhammad Farjad Arshad

are u in a domain environment if so may be your network admin implement policy to redirect you. If this is not the case check with any other browser like firefox, opera or safari. Run combo fix on your system. Run Super antispyware and most of all restore your system to the previous restore date when it was working fine.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
thinktechsolutions

ASKER
msconfig is completly cleaned out restarted computer, Also cleaned my host file. Ran antimalware bytes, superantispyware, adware, spyware doctor nothing they find nothing infected in the system. I have a feeling its is these 4 items.

O2 - BHO: (no name) - {20A240AA-A53B-448A-8BA0-3E9558E0E1FA} - c:\windows\system32\baahzri.dll
O4 - HKLM\..\RunServices: [Toolkitssleay32] C:\DOCUME~1\SHIRLE~1.RAN\LOCALS~1\Temp\shhrubob.exe
O4 - HKLM\..\RunServices: [shhrubob] C:\DOCUME~1\SHIRLE~1.RAN\LOCALS~1\Temp\shhrubob.exe
O20 - Winlogon Notify: ttdxvxio - C:\WINDOWS\SYSTEM32\baahzri.dll

Though I don't know if its safe to remove these items coul somebody shed some light on the subject to see if that is whats causing my problem. thank you
OxygenITSolutions

Try Winpatrol. It will tell you what starts when IE opens. A great troubleshooting software, I have used it for many years.

www.winpatrol.com 
Marcus Capps

*******You'll want to export the registry keys before you delete them  just in case*******

Im about 99% sure the baahzri.dll is whats killing your box. Boot to safe mode, regedit, edit, find  baahzri.dll in your entire regisrty , delete the dll registry entry that points to baahzri.dll. Also search for the shhrubob.exe in your registry,
also go to a command prompt. Change to C:\DOCUME~1\SHIRLE~1.RAN\LOCALS~1\Temp\
do a attrib -a *.*
dir
delete *.*
Y
reboot

Something has infected your box.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
thinktechsolutions

ASKER
I'm also about 99% sure that is whats causing the issue. If it help what happens is when you got to type in to go to a website it will come up and say website found then it will pause then at the bottom it will say redirecting then it just brings up random websites that have nothing to do with what I'm looking for. I've googled both of those programs nothing comes up whats the best way to save everything before I delete it.
Marcus Capps

You can create a restore point in safemode.
jrvzoom

try downloading mozilla firefox from another computer, install it on your computer, and then while in it go to http://onecare.live.com/site/en-us/default.htm and run a full scan. It will go for a couple of hours, this spyware/virus/etc. remover is updated daily and does a pretty good job for a lot of things.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Dustin_Loftis

Sounds like the TDSS rootkit.  Hitman Pro claims to be able to remove it.
optoma

HitmanPro(as mentioned) is fairly good at detecting patched system files and does replace it, if found. Just make note of what it detects(just in case!)

http://www.surfright.nl/en/hitmanpro

You could also try Combofix.
Follow its running proceedures and post its logfile after
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
acl-puzz

Hi

u know i had an desktop that was severely infected with trojans and spyware here is what i did

booted system in "safe mode with command prompt" installed two programs spybot search and destroy and avira antivirus and great thing is they are both free run both software"s own scans cleaned all infections then went to msconfig-->startup deleted all unnecessary entries there.

 after that i run an chkdsk(scandisk) command on all partitions like this chkdsk e: on system drive which is C: it scanned the system on boot this made file system performance better.If u have time run Disk Defragmentation also from system tools.

and at last resort just change yours browser also IE is know as an weak browser shift to opera.

Cheers
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jonvee

You are correct in believing those four HijackThis entries are the reason but unfortunately HJT will be unable to remove them....particularly this one>
O20 - Winlogon Notify: ttdxvxio - C:\WINDOWS\SYSTEM32\baahzri.dll

ComboFix may well resolve the problem(as already suggested), but before running it in Normal mode, please ensure you disable realtime Anti-virus & Anti-spyware scanners.

Also it may be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine, then try this key combination to reach a Run box>
Windows Logo+R: Run dialog box
ASKER CERTIFIED SOLUTION
rpggamergirl

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
jrvzoom

How long have you had this? Have you tried a system restore?
Bransby-IT

Why don't you just delete the files manualy, remove the reg keys.

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
TrustWise

As mentioned by others on this post run combofix from bleeping computers
this WILL fix your problem
thinktechsolutions

ASKER
Here is the combo log file. I also ran the tddskiller first then combo fix here is what it has

ComboFix 10-02-20.03 - shirley 02/20/2010  19:51:40.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2119 [GMT -5:00]
Running from: c:\documents and settings\Shirley.RANDAZZOBUILDER\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\awiqoboxebo.dll
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\491.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\baahzri.dll
c:\windows\system32\drivers\1028_DELL_XPS_Dell DM061                   .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DM061                   .MRK
c:\windows\system32\drivers\qwtvbgie.sys
c:\windows\system32\drivers\vhuynune.sys
c:\windows\system32\kanxfeyw.dll
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\ywvkhkw.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\bchimykr.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EFFVHMIE
-------\Legacy_QWTVBGIE
-------\Service_effvhmie
-------\Service_qwtvbgie


(((((((((((((((((((((((((   Files Created from 2010-01-21 to 2010-02-21  )))))))))))))))))))))))))))))))
.

2010-02-21 01:16 . 2010-02-21 01:16      --------      d-----w-      c:\windows\LastGood
2010-02-19 16:14 . 2010-02-19 15:25      15880      ----a-w-      c:\windows\system32\lsdelete.exe
2010-02-19 15:23 . 2010-02-19 15:23      --------      dc-h--w-      c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-19 15:23 . 2010-02-04 15:53      2954656      -c--a-w-      c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-19 15:23 . 2010-02-19 15:25      --------      d-----w-      c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-19 15:23 . 2010-02-19 15:23      --------      d-----w-      c:\program files\Lavasoft
2010-02-18 05:52 . 2010-02-18 05:52      --------      d-----w-      c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-02-18 05:51 . 2010-02-18 05:50      38784      ----a-w-      c:\documents and settings\Shirley.RANDAZZOBUILDER\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-18 05:51 . 2010-02-18 05:50      38784      ----a-w-      c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-18 05:51 . 2010-02-18 05:51      --------      d-----w-      c:\program files\Common Files\Adobe AIR
2010-02-18 05:49 . 2010-02-18 05:49      86016      ----a-w-      c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-18 05:48 . 2010-02-18 06:30      --------      d-----w-      c:\documents and settings\All Users\Application Data\NOS
2010-02-17 13:54 . 2007-07-04 00:59      86824      ----a-r-      c:\windows\system32\drivers\sscdserd.sys
2010-02-17 13:54 . 2007-07-04 00:58      106792      ----a-r-      c:\windows\system32\drivers\sscdmdm.sys
2010-02-17 13:54 . 2007-07-04 00:57      11944      ----a-r-      c:\windows\system32\drivers\sscdmdfl.sys
2010-02-17 13:54 . 2007-07-04 00:56      9256      ----a-r-      c:\windows\system32\drivers\sscdcmnt.sys
2010-02-17 13:54 . 2007-07-04 00:56      9256      ----a-r-      c:\windows\system32\drivers\sscdcm.sys
2010-02-17 13:54 . 2007-07-04 01:00      9256      ----a-r-      c:\windows\system32\drivers\sscdwhnt.sys
2010-02-17 13:54 . 2007-07-04 01:00      9256      ----a-r-      c:\windows\system32\drivers\sscdwh.sys
2010-02-17 13:54 . 2007-07-04 00:54      80552      ----a-r-      c:\windows\system32\drivers\sscdbus.sys
2010-02-17 02:48 . 2010-02-17 02:48      52224      ----a-w-      c:\documents and settings\Shirley.RANDAZZOBUILDER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-17 02:48 . 2010-02-18 05:07      117760      ----a-w-      c:\documents and settings\Shirley.RANDAZZOBUILDER\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-17 02:47 . 2010-02-17 02:47      --------      d-----w-      c:\program files\SUPERAntiSpyware
2010-02-17 02:47 . 2010-02-17 02:47      --------      d-----w-      c:\program files\Common Files\Wise Installation Wizard
2010-02-16 19:02 . 2008-04-13 19:45      31744      -c--a-w-      c:\windows\system32\dllcache\wceusbsh.sys
2010-02-16 19:02 . 2008-04-13 19:45      31744      ----a-w-      c:\windows\system32\drivers\wceusbsh.sys
2010-02-16 16:37 . 2010-01-07 21:07      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 16:37 . 2010-01-07 21:07      19160      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-02-15 12:34 . 2010-02-15 12:34      --------      d-----w-      c:\documents and settings\Shirley.RANDAZZOBUILDER\Local Settings\Application Data\{1DAF83B5-A7ED-4E13-859F-DDEC679E502E}
2010-02-10 13:18 . 2009-10-30 16:11      233136      ----a-w-      c:\windows\system32\drivers\pctgntdi.sys
2010-02-10 13:18 . 2009-11-09 16:20      207792      ----a-w-      c:\windows\system32\drivers\PCTCore.sys
2010-02-10 13:18 . 2009-10-06 21:31      87784      ----a-w-      c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-10 13:18 . 2009-09-03 14:45      70408      ----a-w-      c:\windows\system32\drivers\pctplsg.sys
2010-02-10 13:18 . 2010-02-20 15:01      --------      d-----w-      c:\program files\Spyware Doctor
2010-02-10 13:18 . 2010-02-10 13:26      --------      d-----w-      c:\program files\Common Files\PC Tools
2010-02-10 13:18 . 2010-02-10 13:18      --------      d-----w-      c:\documents and settings\Shirley.RANDAZZOBUILDER\Application Data\PC Tools
2010-02-10 13:18 . 2010-02-10 13:18      --------      d-----w-      c:\documents and settings\All Users\Application Data\PC Tools
2010-02-10 13:17 . 2010-02-20 15:25      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2010-02-10 03:36 . 2010-02-10 03:36      --------      d-----w-      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-10 03:36 . 2010-02-17 02:47      --------      d-----w-      c:\documents and settings\Shirley.RANDAZZOBUILDER\Application Data\SUPERAntiSpyware.com
2010-02-02 12:52 . 2010-02-16 13:27      0      ----a-w-      c:\windows\Qqunadom.bin
2010-02-02 12:52 . 2010-02-16 22:18      120      ----a-w-      c:\windows\Lpawesugunep.dat
2010-01-23 17:48 . 2010-01-23 17:48      --------      d-----w-      c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn
2010-01-23 17:19 . 2010-01-23 17:19      160288      ----a-w-      c:\windows\system32\drivers\afcdp.sys
2010-01-23 17:18 . 2010-01-23 17:18      911680      ----a-w-      c:\windows\system32\drivers\tdrpm258.sys
2010-01-23 17:17 . 2010-01-23 17:17      --------      d-----w-      c:\program files\Acronis

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 01:11 . 2007-11-20 14:51      12      ----a-w-      c:\windows\bthservsdp.dat
2010-02-20 19:09 . 2007-12-20 14:12      --------      d-----w-      c:\documents and settings\All Users\Application Data\Google Updater
2010-02-20 15:39 . 2004-08-04 12:00      96512      ----a-w-      c:\windows\system32\drivers\atapi.sys
2010-02-20 13:21 . 2009-09-09 22:27      --------      d-----w-      c:\program files\LogMeIn
2010-02-19 15:24 . 2007-04-02 10:31      --------      d-----w-      c:\program files\Google
2010-02-16 18:51 . 2009-01-28 21:32      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-02-04 15:53 . 2010-02-19 15:25      64288      ----a-w-      c:\windows\system32\drivers\Lbd.sys
2010-01-23 18:31 . 2007-03-04 23:02      2469216      ----a-w-      c:\windows\system32\AutoPartNt.exe
2010-01-23 17:19 . 2007-03-04 22:52      --------      d-----w-      c:\program files\Common Files\Acronis
2010-01-23 17:18 . 2007-03-04 22:52      581984      ----a-w-      c:\windows\system32\drivers\timntr.sys
2010-01-23 17:18 . 2007-03-04 22:52      158272      ----a-w-      c:\windows\system32\drivers\snapman.sys
2010-01-23 16:59 . 2008-01-29 18:45      --------      d-----w-      c:\program files\Desktop Alert
2010-01-12 22:27 . 2010-01-12 22:27      --------      d-----w-      c:\documents and settings\All Users\Application Data\LogMeIn
2010-01-07 01:03 . 2010-01-07 01:03      --------      d-----w-      c:\program files\WinSCP
2010-01-05 10:00 . 2004-08-04 12:00      832512      ----a-w-      c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-08-29 19:45      78336      ----a-w-      c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00      17408      ----a-w-      c:\windows\system32\corpol.dll
2010-01-01 05:00 . 2007-04-02 11:10      --------      d-----w-      c:\program files\Belkin Bulldog Plus
2009-12-03 21:59 . 2008-07-21 16:48      149768      ----a-w-      c:\windows\system32\drivers\WpsHelper.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"CompanionLink"="c:\program files\sprint desktop sync\sprint desktop sync.exe" [2008-06-05 7475200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-10-31 5106808]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-10-31 361568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21      548352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2009-11-19 02:30      147832      ------w-      c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 00:34      87352      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16      39792      ----a-w-      c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12      110592      ----a-w-      c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2008-07-21 16:48      115560      ----a-w-      c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComponentsNatural]
2010-02-16 14:35      128000      ----a-w-      c:\program files\Common Files\Microsoft Shared\PROOF\3082\msgr3esNatural.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12      15360      ------w-      c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3]
2007-03-06 17:21      116224      ----a-w-      c:\program files\eFax Messenger 4.3\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToAssist Express Expert]
2009-11-22 21:42      149368      ----a-w-      c:\program files\Citrix\GoToAssist Express Expert\209\g2ax_start.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-03-18 11:00      188416      ----a-w-      c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstallShieldObject]
2010-02-16 14:35      128000      ----a-w-      c:\program files\Common Files\InstallShield\Professional\RunTime\ObjectInstallShield.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-02-05 23:52      849280      ----a-w-      c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2009-11-18 17:47      1243088      ----a-w-      c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-12 11:30      249856      ----a-w-      c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-12 11:30      81920      ----a-w-      c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36      267048      ----a-w-      c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 17:41      63048      ----a-w-      c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MicrosoftMicrosoft2.05.50727.210.0507272100]
2010-02-16 14:35      128000      ----a-w-      c:\program files\Common Files\Microsoft Shared\Help\2052\HXDSUIMicrosoft2.05.50727.210.0507272100.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msgr3esLanguage]
2010-02-16 14:35      128000      ----a-w-      c:\program files\Common Files\Microsoft Shared\PROOF\3082\msgr3esNatural.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12      1695232      ------w-      c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-16 15:39      7323648      ----a-w-      c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeWPGIMP32]
2010-02-16 14:35      128000      ----a-w-      c:\program files\Common Files\Microsoft Shared\GRPHFLT\jpegim32WPGIMP32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PICTIM32PICTIM32]
2010-02-16 14:35      128000      ----a-w-      c:\program files\Common Files\Microsoft Shared\GRPHFLT\jpegim32WPGIMP32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09      413696      ----a-w-      c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 20:00      282624      ----a-w-      c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonicWALLNetExtender]
2008-01-16 23:51      562608      ----a-w-      c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2002-12-16 20:51      36864      ----a-w-      c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25      144784      ----a-w-      c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-21 15:40      68856      ----a-w-      c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2003-04-01 00:28      155648      ----a-w-      c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/19/2010 10:25 AM 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/10/2010 8:18 AM 207792]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [1/23/2010 12:18 PM 911680]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [1/23/2010 12:19 PM 2480048]
R2 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe [2/7/2010 10:31 AM 161144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1229232]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [1/12/2010 5:27 PM 47640]
R2 Sage.LS1.ServiceHost.1.1;Sage Service Host (v1.1);c:\program files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe [12/16/2008 8:41 AM 106496]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [1/23/2010 12:19 PM 160288]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/9/2010 2:18 PM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [1/16/2008 6:51 PM 19376]
S2 gupdate1ca15fbffc0b821;Google Update Service (gupdate1ca15fbffc0b821);c:\program files\Google\Update\GoogleUpdate.exe [8/5/2009 1:38 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/21/2008 11:48 AM 23888]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/10/2010 8:18 AM 359624]
S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\drivers\TSUSB2.sys [1/3/2008 10:20 AM 54016]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - QWTVBGIE
*Deregistered* - qwtvbgie
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:25]

2010-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-02 14:10]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:38]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-05 18:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus
MSConfigStartUp-daq8peuscdwl - c:\documents and settings\Shirley.RANDAZZOBUILDER\Local Settings\Temp\m.23293.tmp.exe
MSConfigStartUp-Gxedohufajel - c:\windows\awiqoboxebo.dll
MSConfigStartUp-shhrubob - c:\docume~1\SHIRLE~1.RAN\LOCALS~1\Temp\shhrubob.exe
MSConfigStartUp-ssleay32Toolkit - c:\docume~1\SHIRLE~1.RAN\LOCALS~1\Temp\shhrubob.exe
MSConfigStartUp-systemguard - c:\program files\System Guard 2009\systemguard.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 20:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(5424)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_system_customer.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Belkin Bulldog Plus\upsd.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_host.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_user_customer.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-02-20  20:27:26 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-21 01:27

Pre-Run: 610,507,759,616 bytes free
Post-Run: 616,929,742,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CC1ED42F864B0C52889266903A02BAA2
rpggamergirl

How's the pc going?
Can we also look at the TDSSKiller log?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
thinktechsolutions

ASKER
10:31:49:427 4268      TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
10:31:49:427 4268      ================================================================================
10:31:49:427 4268      SystemInfo:

10:31:49:427 4268      OS Version: 5.1.2600 ServicePack: 3.0
10:31:49:427 4268      Product type: Workstation
10:31:49:427 4268      ComputerName: RBDPC-1020
10:31:49:427 4268      UserName: shirley
10:31:49:427 4268      Windows directory: C:\WINDOWS
10:31:49:427 4268      Processor architecture: Intel x86
10:31:49:427 4268      Number of processors: 2
10:31:49:427 4268      Page size: 0x1000
10:31:49:442 4268      Boot type: Normal boot
10:31:49:442 4268      ================================================================================
10:31:49:442 4268      UnloadDriverW: NtUnloadDriver error 2
10:31:49:442 4268      ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:31:49:458 4268      MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:31:49:505 4268      UtilityInit: KLMD drop and load success
10:31:49:505 4268      KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
10:31:49:505 4268      UtilityInit: KLMD open success
10:31:49:505 4268      UtilityInit: Initialize success
10:31:49:505 4268      
10:31:49:505 4268      Scanning      Services ...
10:31:49:505 4268      CreateRegParser: Registry parser init started
10:31:49:505 4268      DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
10:31:49:505 4268      CreateRegParser: DisableWow64Redirection error
10:31:49:505 4268      wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:31:49:505 4268      MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
10:31:49:505 4268      wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:31:49:505 4268      wfopen_ex: Trying to KLMD file open
10:31:49:505 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
10:31:49:505 4268      wfopen_ex: File opened ok (Flags 2)
10:31:49:505 4268      CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: CA49A8
10:31:49:505 4268      wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:31:49:505 4268      MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
10:31:49:505 4268      wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:31:49:505 4268      wfopen_ex: Trying to KLMD file open
10:31:49:505 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
10:31:49:505 4268      wfopen_ex: File opened ok (Flags 2)
10:31:49:505 4268      CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: CA4A50
10:31:49:505 4268      EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
10:31:49:505 4268      CreateRegParser: EnableWow64Redirection error
10:31:49:505 4268      CreateRegParser: RegParser init completed
10:31:50:130 4268      GetAdvancedServicesInfo: Raw services enum returned 390 services
10:31:50:130 4268      fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:31:50:130 4268      fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:31:50:130 4268      
10:31:50:130 4268      Scanning      Kernel memory ...
10:31:50:145 4268      KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:31:50:145 4268      DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AF37168
10:31:50:145 4268      DetectCureTDL3: KLMD_GetDeviceObjectList returned 6 DevObjects
10:31:50:145 4268      
10:31:50:145 4268      DetectCureTDL3: DEVICE_OBJECT: 8AEDB8A0
10:31:50:145 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEDB8A0
10:31:50:145 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEDB8A0[0x38]
10:31:50:145 4268      DetectCureTDL3: DRIVER_OBJECT: 8AF37168
10:31:50:145 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AF37168[0xA8]
10:31:50:145 4268      KLMD_ReadMem: Trying to ReadMemory 0xE10232B8[0x18]
10:31:50:145 4268      DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_CREATE                      : BA8EEBB0
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE           : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_CLOSE                       : BA8EEBB0
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_READ                        : BA8E8D1F
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_WRITE                       : BA8E8D1F
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_QUERY_INFORMATION           : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_SET_INFORMATION             : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_QUERY_EA                    : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_SET_EA                      : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS               : BA8E92E2
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION    : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION      : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL           : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL         : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_DEVICE_CONTROL              : BA8E93BB
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL     : BA8ECF28
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_SHUTDOWN                    : BA8E92E2
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_LOCK_CONTROL                : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_CLEANUP                     : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT             : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_QUERY_SECURITY              : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_SET_SECURITY                : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_POWER                       : BA8EAC82
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL              : BA8EF99E
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_DEVICE_CHANGE               : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_QUERY_QUOTA                 : 804F4562
10:31:50:145 4268      DetectCureTDL3: IRP_MJ_SET_QUOTA                   : 804F4562
10:31:50:145 4268      TDL3_FileDetect: Processing driver: Disk
10:31:50:145 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:145 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:161 4268      TDL3_FileDetect: Processing driver: Disk
10:31:50:161 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:161 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:192 4268      TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:31:50:192 4268      
10:31:50:192 4268      DetectCureTDL3: DEVICE_OBJECT: 8AEDBC68
10:31:50:192 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEDBC68
10:31:50:192 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEDBC68[0x38]
10:31:50:192 4268      DetectCureTDL3: DRIVER_OBJECT: 8AF37168
10:31:50:192 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AF37168[0xA8]
10:31:50:192 4268      KLMD_ReadMem: Trying to ReadMemory 0xE10232B8[0x18]
10:31:50:192 4268      DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_CREATE                      : BA8EEBB0
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE           : 804F4562
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_CLOSE                       : BA8EEBB0
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_READ                        : BA8E8D1F
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_WRITE                       : BA8E8D1F
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_QUERY_INFORMATION           : 804F4562
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_SET_INFORMATION             : 804F4562
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_QUERY_EA                    : 804F4562
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_SET_EA                      : 804F4562
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS               : BA8E92E2
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION    : 804F4562
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION      : 804F4562
10:31:50:192 4268      DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL           : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL         : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_DEVICE_CONTROL              : BA8E93BB
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL     : BA8ECF28
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_SHUTDOWN                    : BA8E92E2
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_LOCK_CONTROL                : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_CLEANUP                     : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT             : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_QUERY_SECURITY              : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_SET_SECURITY                : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_POWER                       : BA8EAC82
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL              : BA8EF99E
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_DEVICE_CHANGE               : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_QUERY_QUOTA                 : 804F4562
10:31:50:208 4268      DetectCureTDL3: IRP_MJ_SET_QUOTA                   : 804F4562
10:31:50:208 4268      TDL3_FileDetect: Processing driver: Disk
10:31:50:208 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:208 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:208 4268      TDL3_FileDetect: Processing driver: Disk
10:31:50:208 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:208 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:224 4268      TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:31:50:224 4268      
10:31:50:224 4268      DetectCureTDL3: DEVICE_OBJECT: 8AEF88A0
10:31:50:224 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEF88A0
10:31:50:224 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEF88A0[0x38]
10:31:50:224 4268      DetectCureTDL3: DRIVER_OBJECT: 8AF37168
10:31:50:224 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AF37168[0xA8]
10:31:50:224 4268      KLMD_ReadMem: Trying to ReadMemory 0xE10232B8[0x18]
10:31:50:224 4268      DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_CREATE                      : BA8EEBB0
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE           : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_CLOSE                       : BA8EEBB0
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_READ                        : BA8E8D1F
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_WRITE                       : BA8E8D1F
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_QUERY_INFORMATION           : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_SET_INFORMATION             : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_QUERY_EA                    : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_SET_EA                      : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS               : BA8E92E2
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION    : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION      : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL           : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL         : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_DEVICE_CONTROL              : BA8E93BB
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL     : BA8ECF28
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_SHUTDOWN                    : BA8E92E2
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_LOCK_CONTROL                : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_CLEANUP                     : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT             : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_QUERY_SECURITY              : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_SET_SECURITY                : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_POWER                       : BA8EAC82
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL              : BA8EF99E
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_DEVICE_CHANGE               : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_QUERY_QUOTA                 : 804F4562
10:31:50:224 4268      DetectCureTDL3: IRP_MJ_SET_QUOTA                   : 804F4562
10:31:50:224 4268      TDL3_FileDetect: Processing driver: Disk
10:31:50:224 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:224 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:224 4268      TDL3_FileDetect: Processing driver: Disk
10:31:50:224 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:224 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:239 4268      TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:31:50:239 4268      
10:31:50:239 4268      DetectCureTDL3: DEVICE_OBJECT: 8AEF8C68
10:31:50:239 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEF8C68
10:31:50:239 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEF8C68[0x38]
10:31:50:239 4268      DetectCureTDL3: DRIVER_OBJECT: 8AF37168
10:31:50:239 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AF37168[0xA8]
10:31:50:239 4268      KLMD_ReadMem: Trying to ReadMemory 0xE10232B8[0x18]
10:31:50:239 4268      DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_CREATE                      : BA8EEBB0
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE           : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_CLOSE                       : BA8EEBB0
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_READ                        : BA8E8D1F
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_WRITE                       : BA8E8D1F
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_QUERY_INFORMATION           : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_SET_INFORMATION             : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_QUERY_EA                    : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_SET_EA                      : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS               : BA8E92E2
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION    : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION      : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL           : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL         : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_DEVICE_CONTROL              : BA8E93BB
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL     : BA8ECF28
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_SHUTDOWN                    : BA8E92E2
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_LOCK_CONTROL                : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_CLEANUP                     : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT             : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_QUERY_SECURITY              : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_SET_SECURITY                : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_POWER                       : BA8EAC82
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL              : BA8EF99E
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_DEVICE_CHANGE               : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_QUERY_QUOTA                 : 804F4562
10:31:50:239 4268      DetectCureTDL3: IRP_MJ_SET_QUOTA                   : 804F4562
10:31:50:239 4268      TDL3_FileDetect: Processing driver: Disk
10:31:50:239 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:239 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:239 4268      TDL3_FileDetect: Processing driver: Disk
10:31:50:239 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:239 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:50:255 4268      TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:31:50:255 4268      
10:31:50:255 4268      DetectCureTDL3: DEVICE_OBJECT: 8AED5AB8
10:31:50:255 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AED5AB8
10:31:50:255 4268      DetectCureTDL3: DEVICE_OBJECT: 8AED78D0
10:31:50:255 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AED78D0
10:31:50:255 4268      DetectCureTDL3: DEVICE_OBJECT: 8AEEDD98
10:31:50:255 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEEDD98
10:31:50:255 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEEDD98[0x38]
10:31:50:255 4268      DetectCureTDL3: DRIVER_OBJECT: 8AEE9F38
10:31:50:255 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEE9F38[0xA8]
10:31:50:255 4268      KLMD_ReadMem: Trying to ReadMemory 0xE18349B8[0x1A]
10:31:50:255 4268      DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_CREATE                      : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE           : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_CLOSE                       : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_READ                        : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_WRITE                       : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_QUERY_INFORMATION           : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_SET_INFORMATION             : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_QUERY_EA                    : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_SET_EA                      : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS               : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION    : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION      : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL           : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL         : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_DEVICE_CONTROL              : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL     : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_SHUTDOWN                    : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_LOCK_CONTROL                : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_CLEANUP                     : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT             : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_QUERY_SECURITY              : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_SET_SECURITY                : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_POWER                       : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL              : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_DEVICE_CHANGE               : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_QUERY_QUOTA                 : BA6F4B3A
10:31:50:255 4268      DetectCureTDL3: IRP_MJ_SET_QUOTA                   : BA6F4B3A
10:31:50:255 4268      TDL3_FileDetect: Processing driver: atapi
10:31:50:255 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:31:50:255 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
10:31:50:270 4268      DetectCureTDL3: All IRP handlers pointed to one addr: BA6F4B3A
10:31:50:270 4268      KLMD_ReadMem: Trying to ReadMemory 0xBA6F4B3A[0x400]
10:31:50:270 4268      TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
10:31:50:270 4268      KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
10:31:50:270 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEE990C[0x4]
10:31:50:270 4268      TDL3_IrpHookDetect: New IrpHandler addr: 8AEBB8C8
10:31:50:270 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEBB8C8[0x400]
10:31:50:270 4268      TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
10:31:50:270 4268      Driver "atapi" Irp handler infected by TDSS rootkit ... 10:31:50:270 4268      KLMD_WriteMem: Trying to WriteMemory 0x8AEBB94E[0xD]
10:31:50:270 4268      cured
10:31:50:270 4268      KLMD_ReadMem: Trying to ReadMemory 0xBA6F2864[0x400]
10:31:50:270 4268      TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:31:50:270 4268      TDL3_FileDetect: Processing driver: atapi
10:31:50:270 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:31:50:270 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
10:31:50:286 4268      TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
10:31:50:286 4268      File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 10:31:50:286 4268      TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:31:50:286 4268      ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
10:31:50:302 4268      CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
10:31:50:380 4268      CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
10:31:50:427 4268      CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
10:31:50:427 4268      CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
10:31:50:458 4268      CabinetCallback: File extracted successfully: C:\DOCUME~1\SHIRLE~1.RAN\LOCALS~1\Temp\bckE4.tmp
10:31:50:458 4268      ValidateDriverFile: Stage 1 passed
10:31:50:458 4268      ValidateDriverFile: Stage 2 passed
10:31:50:536 4268      DigitalSignVerifyByHandle: Embedded DS result: 800B0100
10:31:51:020 4268      DigitalSignVerifyByHandle: Cat DS result: 00000000
10:31:51:020 4268      ValidateDriverFile: Stage 3 passed
10:31:51:036 4268      CabinetCallback: File validated successfully, restore information prepared
10:31:51:036 4268      FindDriverFileBackup: Backup copy found in cab-file
10:31:51:036 4268      TDL3_FileCure: Backup copy found, using it..
10:31:51:036 4268      TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tskE5.tmp
10:31:51:067 4268      TDL3_FileCure: New / Old Image paths: (system32\drivers\tskE5.tmp, system32\drivers\atapi.sys)
10:31:51:067 4268      TDL3_FileCure: KLMD jobs schedule success
10:31:51:067 4268      will be cured on next reboot
10:31:51:067 4268      
10:31:51:067 4268      DetectCureTDL3: DEVICE_OBJECT: 8AF528F0
10:31:51:067 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF528F0
10:31:51:067 4268      DetectCureTDL3: DEVICE_OBJECT: 8AF4C020
10:31:51:067 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AF4C020
10:31:51:067 4268      DetectCureTDL3: DEVICE_OBJECT: 8AEF2D98
10:31:51:067 4268      KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AEF2D98
10:31:51:067 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEF2D98[0x38]
10:31:51:067 4268      DetectCureTDL3: DRIVER_OBJECT: 8AEE9F38
10:31:51:067 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEE9F38[0xA8]
10:31:51:067 4268      KLMD_ReadMem: Trying to ReadMemory 0xE18349B8[0x1A]
10:31:51:067 4268      DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_CREATE                      : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE           : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_CLOSE                       : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_READ                        : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_WRITE                       : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_QUERY_INFORMATION           : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_SET_INFORMATION             : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_QUERY_EA                    : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_SET_EA                      : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS               : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION    : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION      : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL           : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL         : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_DEVICE_CONTROL              : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL     : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_SHUTDOWN                    : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_LOCK_CONTROL                : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_CLEANUP                     : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT             : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_QUERY_SECURITY              : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_SET_SECURITY                : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_POWER                       : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL              : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_DEVICE_CHANGE               : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_QUERY_QUOTA                 : BA6F4B3A
10:31:51:067 4268      DetectCureTDL3: IRP_MJ_SET_QUOTA                   : BA6F4B3A
10:31:51:067 4268      TDL3_FileDetect: Processing driver: atapi
10:31:51:067 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tskE5.tmp
10:31:51:067 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tskE5.tmp
10:31:51:067 4268      DetectCureTDL3: All IRP handlers pointed to one addr: BA6F4B3A
10:31:51:067 4268      KLMD_ReadMem: Trying to ReadMemory 0xBA6F4B3A[0x400]
10:31:51:067 4268      TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
10:31:51:067 4268      KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
10:31:51:067 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEE990C[0x4]
10:31:51:067 4268      TDL3_IrpHookDetect: New IrpHandler addr: 8AEBB8C8
10:31:51:067 4268      KLMD_ReadMem: Trying to ReadMemory 0x8AEBB8C8[0x400]
10:31:51:067 4268      TDL3_IrpHookDetect: TDL3 is already cured
10:31:51:067 4268      KLMD_ReadMem: Trying to ReadMemory 0xBA6F2864[0x400]
10:31:51:067 4268      TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
10:31:51:067 4268      TDL3_FileDetect: Processing driver: atapi
10:31:51:067 4268      TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tskE5.tmp
10:31:51:067 4268      KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tskE5.tmp
10:31:51:083 4268      TDL3_FileDetect: C:\WINDOWS\system32\drivers\tskE5.tmp - Verdict: Clean
10:31:51:083 4268      UtilityBootReinit: Reboot required for cure complete..
10:31:51:083 4268      MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
10:31:51:099 4268      UtilityBootReinit: KLMD drop success
10:31:51:099 4268      KLMD_ApplyPendList: Pending buffer(265B_3650, 608) dropped successfully
10:31:51:099 4268      UtilityBootReinit: Cure on reboot scheduled successfully
10:31:51:099 4268      
10:31:51:099 4268      Completed
10:31:51:099 4268      
10:31:51:099 4268      Results:
10:31:51:099 4268      Memory objects infected / cured / cured on reboot:      1 / 1 / 0
10:31:51:099 4268      Registry objects infected / cured / cured on reboot:      0 / 0 / 0
10:31:51:099 4268      File objects infected / cured / cured on reboot:      1 / 0 / 1
10:31:51:099 4268      
10:31:51:099 4268      UnloadDriverW: NtUnloadDriver error 1
10:31:51:099 4268      KLMD_Unload: UnloadDriverW(klmd21) error 1
10:31:51:099 4268      MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:31:51:099 4268      UtilityDeinit: KLMD(ARK) unloaded successfully
thinktechsolutions

ASKER
Here is a new hijack this log as well

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:44 AM, on 2/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_comm_customer.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_system_customer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_host.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_user_customer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\program files\sprint desktop sync\sprint desktop sync.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Shirley.RANDAZZOBUILDER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CompanionLink] "c:\program files\sprint desktop sync\sprint desktop sync.exe" -Icon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251507921815
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1210192126_3b6afe71c6f9e8959c0351ee0c739778&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = randazzobuilders.com
O17 - HKLM\Software\..\Telephony: DomainName = randazzobuilders.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = randazzobuilders.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
O23 - Service: Google Update Service (gupdate1ca15fbffc0b821) (gupdate1ca15fbffc0b821) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sage Service Host (v1.1) (Sage.LS1.ServiceHost.1.1) - Sage Software, Inc. - C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.1\Sage.LS1.ServiceHost.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

--
End of file - 8771 bytes
rpggamergirl

TDSSKiller found and cured a TDL3 rootkit(patched atapi.sys) that also caused search redirects.
If the redirect has stopped then all is well and the patched atapi driver was the culprit... if the problem persists then we need to run more tools and continue to troubleshoot.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
thinktechsolutions

ASKER
Thank you so much so it was TDSSKiller that elminated the problem. Thank you for your help
rpggamergirl

Sorry, I didn't refresh the page and missed your post.
Hijackthis log looks clean... but a lot of nasties are now able to hide from its scan so a clean Hijackthis log doesn't necessarily mean a clean system.

Is the search still being redirected?
rpggamergirl

Ooops, again I missed reading a comment.
It's great to know that atapi.sys was the culprit and it's been taken care of.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
thinktechsolutions

ASKER
Removed it with no issues thank you
rpggamergirl

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall
Thank you for using Experts-Exchange!


younghv

Adding this to my knowledgebase.
Your help has saved me hundreds of hours of internet surfing.
fblack61