Redirected Google Searches in Firefox

Hello,

I have recently started having my Google searches in Firefox. Also, a new tab will open up at random to the Google search page.
I have ran Avast several times, Spybot search & destroy, Adaware, & Malwarebytes anti-malware, removed,& quarantined
the flagged files, rebooted the machine after each process, but still having the same issue.
Any thoughts. Also, doesnt seem to affect IE, or Safari, just Firefox.
Firefox ver 3.6.3
Avast Ver 4.8 home
VPS compilation date 6/12/10
file version 100612-1

Machine OS: Win XP SP 3

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Did as you instructed, here is contents of log file:
GooredFix by jpshortstuff (08.01.10.1)
Log created at 12:00 on 12/06/2010 (carpenter)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:52 12/02/2005]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [04:28 15/06/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [13:50 27/06/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [04:48 25/11/2009]
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [22:37 30/03/2010]

C:\Documents and Settings\carpenter.CARPENTER\Application Data\Mozilla\Firefox\Profiles\s7wxr92i.default\extensions
{20a82645-c095-46ed-80e3-08825760534b} [21:27 28/04/2010]
{3CE993BF-A3D9-4fd2-B3B6-768CBBC337F8} [23:21 08/06/2009]
{d37dc5d0-431d-44e5-8c91-49419370caa1} [21:47 28/05/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
“{20a82645-c095-46ed-80e3-08825760534b}”="c:\WINNT\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [12:23 27/01/2010]
jqs@sun.com”=“C:\Program Files\Java\jre6\lib\deploy\jqs\ff” [04:28 15/06/2009]

-=E.O.F=-
Thanks

OK it must be the latest variant

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ran Combofix as directed, here are the results page 1, (as text exceeds 10,000 characters) :

ComboFix 10-06-13.01 - carpenter 06/13/2010 23:53:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1458 [GMT -5:00]
Running from: c:\documents and settings\carpenter.CARPENTER\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100613-2] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\winnt\system32\drivers\npf.sys
c:\winnt\system32\Packet.dll
c:\winnt\system32\pthreadVC.dll
c:\winnt\system32\WanPacket.dll
c:\winnt\system32\wpcap.dll
c:\winnt\Web\default.htt

Infected copy of c:\winnt\system32\drivers\WudfPf.sys was found and disinfected
Restored copy from - Kitty had a snack :stuck_out_tongue:
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_IAS

((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2010-06-14 04:02 . 2010-06-11 03:49 95024 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys
2010-06-12 00:13 . 2010-06-12 00:13 -------- d-----w- c:\documents and settings\carpenter.CARPENTER\Application Data\Malwarebytes
2010-06-12 00:13 . 2010-04-29 20:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-06-12 00:13 . 2010-06-12 00:13 -------- d-----w- c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes
2010-06-12 00:13 . 2010-06-12 00:13 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2010-06-12 00:13 . 2010-04-29 20:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-06-11 12:15 . 2010-02-04 15:52 15880 ----a-w- c:\winnt\system32\lsdelete.exe
2010-06-11 03:46 . 2010-06-11 03:46 -------- dc-h–w- c:\documents and settings\All Users.WINNT\Application Data{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-06 04:49 . 2010-06-06 04:49 -------- d-----w- c:\documents and settings\carpenter.CARPENTER\Local Settings\Application Data\HandBrake
2010-06-06 04:48 . 2010-06-06 04:48 -------- d-----w- c:\documents and settings\carpenter.CARPENTER\Application Data\HandBrake
2010-06-06 04:48 . 2010-06-06 04:48 -------- d-----w- c:\program files\Handbrake
2010-06-04 01:05 . 2010-06-10 00:11 -------- d-----w- c:\documents and settings\carpenter.CARPENTER\Local Settings\Application Data\jcypragua

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 05:20 . 2005-02-10 03:05 -------- d-----w- c:\program files\Elprime Clock
2010-06-14 04:32 . 2005-12-08 02:27 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-12 18:49 . 2005-02-10 02:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-11 03:48 . 2009-10-10 16:51 64288 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2010-06-11 03:46 . 2009-10-10 16:48 -------- d-----w- c:\program files\Lavasoft
2010-06-10 03:57 . 2008-08-26 12:26 -------- d-----w- c:\program files\The Holy Bible
2010-05-22 00:49 . 2010-05-22 00:49 503808 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-524948d6-n\msvcp71.dll
2010-05-22 00:49 . 2010-05-22 00:49 499712 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-524948d6-n\jmc.dll
2010-05-22 00:49 . 2010-05-22 00:49 348160 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-524948d6-n\msvcr71.dll
2010-05-22 00:49 . 2010-05-22 00:49 61440 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6daf8047-n\decora-sse.dll
2010-05-22 00:49 . 2010-05-22 00:49 12800 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6daf8047-n\decora-d3d.dll
2010-05-12 23:44 . 2009-06-15 04:43 -------- d-----w- c:\documents and settings\carpenter.CARPENTER\Application Data\LimeWire
2010-04-27 21:24 . 2005-02-08 04:19 -------- d–h–w- c:\program files\InstallShield Installation Information
2010-04-27 21:24 . 2010-04-27 21:24 -------- d-----w- c:\program files\Generic
2010-04-24 18:27 . 2009-09-30 00:13 -------- d-----w- c:\program files\Moffsoft Calculator 2
2010-04-20 02:21 . 2010-04-20 02:21 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-03-30 22:37 . 2010-03-30 22:37 503808 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7b53bd65-n\msvcp71.dll
2010-03-30 22:37 . 2010-03-30 22:37 499712 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7b53bd65-n\jmc.dll
2010-03-30 22:37 . 2010-03-30 22:37 348160 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7b53bd65-n\msvcr71.dll
2010-03-30 22:37 . 2010-03-30 22:37 61440 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-268fa170-n\decora-sse.dll
2010-03-30 22:37 . 2010-03-30 22:37 12800 ----a-w- c:\documents and settings\carpenter.CARPENTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-268fa170-n\decora-d3d.dll
2008-06-11 12:11 . 2005-02-08 03:49 21952 —ha-w- c:\program files\folder.htt
.

Combofix results page 2:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Kalender”=“c:\kalander\Kalender\Kalender.exe” [2005-04-03 622592]
“SpybotSD TeaTimer”=“c:\program files\Spybot - Search & Destroy\TeaTimer.exe” [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Synchronization Manager”=“mobsync.exe” [2008-04-14 143360]
“YeppStudioAgent”=“c:\program files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe” [2005-06-29 36864]
“CTCheck”=“c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe” [2007-11-06 397312]
“Elprime Clock”=“c:\program files\Elprime Clock\uclock.exe” [2002-11-12 90112]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-11-24 81000]
“NvCplDaemon”=“c:\winnt\system32\NvCpl.dll” [2007-12-04 8523776]
“nwiz”=“nwiz.exe” [2007-12-04 1626112]
“NvMediaCenter”=“c:\winnt\system32\NvMcTray.dll” [2007-12-04 81920]
“SunJavaUpdateSched”=“c:\program files\Common Files\Java\Java Update\jusched.exe” [2010-02-18 248040]
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2009-11-11 417792]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-12-22 35760]
“Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2010-03-24 952768]
“iTunesHelper”=“c:\program files\iTunes\iTunesHelper.exe” [2010-01-23 141608]
“PAC7302_Monitor”=“c:\winnt\PixArt\PAC7302\Monitor.exe” [2006-11-03 319488]
“TraySantaCruz”=“c:\winnt\system32\tbctray.exe” [2002-04-17 290816]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“^SetupICWDesktop”=“c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe” [2008-04-14 214528]
“tscuninstall”=“c:\winnt\system32\tscupgrd.exe” [2004-08-04 44544]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-29 113664]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=“Service”

[HKLM~\startupfolder\C:^Documents and Settings^All Users.WINNT^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\winnt\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\Microsoft Games\Age of Empires III\age3x.exe”=
“c:\Program Files\Messenger\msmsgs.exe”=
“c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\LimeWire\LimeWire.exe”=
“c:\Program Files\Generic\Network Printer Wizard\NPWService.exe”=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [10/10/2009 11:51 AM 64288]
R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SonyPVM1.sys [1/30/2006 10:05 PM 28224]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [6/5/2009 8:14 PM 114768]
R1 fwdrv;Kerio Personal Firewall Driver;c:\winnt\system32\drivers\FWDRV.SYS [1/30/2006 11:17 PM 102912]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [6/5/2009 8:14 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352320]
R2 NPWService;NPWService;c:\program files\Generic\Network Printer Wizard\NPWService.exe [1/15/2009 4:19 PM 462848]
R3 tbcspud;Santa Cruz Driver;c:\winnt\system32\drivers\tbcspud.sys [6/11/2008 10:18 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\winnt\system32\drivers\tbcwdm.sys [6/11/2008 10:18 PM 545088]
S2 astnscsi;astnscsi;c:\program files\Voyetra\AudioStation 6\astnscsi.exe → c:\program files\Voyetra\AudioStation 6\astnscsi.exe [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\winnt\system32\drivers\A3AB.sys [3/22/2005 8:17 PM 450400]
S3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\winnt\system32\drivers\DLKRTS.SYS [1/29/2006 5:52 PM 25434]
S3 DzlUsb;Dazzle DVC USB Device;c:\winnt\system32\drivers\DzlUsb.sys [5/13/2006 10:57 PM 62800]
S3 hfdrv;hfdrv;c:\winnt\system32\hfdrv.sys [4/20/2006 9:23 PM 6880]
S3 hpoid407;IEEE-1284.4 Driver hpoid407;c:\winnt\system32\drivers\hpoid407.sys [3/20/2001 12:22 PM 50512]
S3 InCDFat;Ahead InCDFat File System Driver;c:\winnt\system32\drivers\InCDFat.sys [2/8/2006 3:54 PM 131200]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [8/17/2001 2:47 PM 9344]
S3 Rpcsexy;Rpcsexy;c:\winnt\system32\drivers\portcls.sys [8/4/2004 12:15 AM 146048]
S3 TNET1130;802.11 WLAN;c:\winnt\system32\drivers\tnet1130.sys [5/13/2006 11:09 PM 424825]

— Other Services/Drivers In Memory —

Deregistered - InCDFatRec

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the ‘Scheduled Tasks’ folder

2010-06-14 c:\winnt\Tasks\Ad-Aware Update (Weekly).job

  • c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:48]

2010-06-13 c:\winnt\Tasks\AppleSoftwareUpdate.job

  • c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://access.teamucc.com/elink?SetDealer=0544
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\carpenter.CARPENTER\Application Data\Mozilla\Firefox\Profiles\s7wxr92i.default
    FF - prefs.js: browser.startup.homepage - hxxp://apod.nasa.gov/apod/
    FF - plugin: c:\documents and settings\carpenter.CARPENTER\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“ui.use_native_colors”, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.auth.force-generic-ntlm”, false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“svg.smil.enabled”, false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(“security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref”, true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(“security.ssl.renego_unrestricted_hosts”, “”);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(“security.ssl.treat_unsafe_negotiation_as_broken”, false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref(“security.ssl.require_safe_negotiation”, false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name”, “chrome://browser/locale/browser.properties”);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description”, “chrome://browser/locale/browser.properties”);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“plugins.update.notifyUser”, false);
.
.
------- File Associations -------
.
txtfile=“c:\program files\JGsoft\EditPadLite\EditPadLite.exe” “%1”
.scr=AutoCADScriptFile
.

        • ORPHANS REMOVED - - - -

HKLM-Run-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\GameDrvr.exe
SafeBoot-sglfb.sys
SafeBoot-tga.sys
AddRemove-NVIDIA Autodesk AutoCAD 2007 Performance Driver - c:\program files\AutoCAD 2007\drv\nvunin.exe ACAD NVIDIA Autodesk AutoCAD 2007 Performance Driver Software\Autodesk\AutoCAD\R17.0\ACAD-5001:409\ HDI9
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll

And the last bit, page 3:


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 00:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Elprime Clock = c:\program files\Elprime Clock\uclock.exe? ???k???@???@???8O@???h???@???@?4???[?@?d??s?$?sd??s???#?s4???s???4???s???4???D2?s???4???4???

scanning hidden files …

scan completed successfully
hidden files: 0


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-1682526488-839522115-1001\Software\SecuROM!CAUTION! NEVER A OR CHANGE ANY KEY*]
“??”=hex:05,3f,6c,ad,77,ed,41,0d,ae,4c,f2,e0,61,bd,9c,af,40,c6,d8,9b,2e,a2,22,
df,1d,b5,42,32,44,75,9a,ea,6b,c4,f6,f5,ad,41,03,77,e3,ce,53,bb,cc,ce,fa,da,
“??”=hex:d8,9f,7d,11,6e,5e,e6,30,6b,4d,5e,81,eb,d8,8b,f3
.
--------------------- DLLs Loaded Under Running Processes ---------------------

              • ‘explorer.exe’(2232)
                c:\winnt\system32\WININET.dll
                c:\winnt\system32\ieframe.dll
                c:\winnt\system32\mshtml.dll
                c:\winnt\system32\msls31.dll
                c:\winnt\system32\webcheck.dll
                c:\winnt\system32\WPDShServiceObj.dll
                c:\winnt\system32\PortableDeviceTypes.dll
                c:\winnt\system32\PortableDeviceApi.dll
                .
                ------------------------ Other Running Processes ------------------------
                .
                c:\program files\Alwil Software\Avast4\aswUpdSv.exe
                c:\program files\Alwil Software\Avast4\ashServ.exe
                c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                c:\program files\Bonjour\mDNSResponder.exe
                c:\winnt\system32\CTsvcCDA.exe
                c:\program files\Ahead\InCD\InCDsrv.exe
                c:\program files\Java\jre6\bin\jqs.exe
                c:\program files\Common Files\Motive\McciCMService.exe
                c:\program files\CDBurnerXP\NMSAccessU.exe
                c:\winnt\system32\nvsvc32.exe
                c:\winnt\system32\MsPMSPSv.exe
                c:\program files\Alwil Software\Avast4\ashMaiSv.exe
                c:\program files\Alwil Software\Avast4\ashWebSv.exe
                c:\winnt\system32\wbem\unsecapp.exe
                c:\winnt\system32\wscntfy.exe
                c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
                c:\winnt\system32\RUNDLL32.EXE
                c:\program files\iPod\bin\iPodService.exe
                c:\program files\Common Files\Java\Java Update\jucheck.exe
                .


.
Completion time: 2010-06-14 00:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-14 05:30

Pre-Run: 10,859,788,800 bytes free
Post-Run: 12,418,061,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect
C:=“Previous Operating System on C:”

Current=2 Default=2 Failed=0 LastKnownGood=4 Sets=1,2,3,4

    • End Of File - - 3A05871BDAB971E04B7B80376D6D9491

Once again thank You

Could you now confirm that the redirects have gone please

That seems to have fixed it. I ran several Google searches, with no redirects.
Thanks you very much for your help.

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following


:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS] 
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: