[Resolved] Redirected searches

[Sbeih]

Hi my name is John, i'm in need of some assistance. Everytime i do a search in firefox or IE, the links keep redirecting me to some advertisements. The only way i can visit the link is by copying and pasting the address in the URL. This was actually far worse, it didn't let me go to any site like youtube or myspace with out redirecting me, but what i did was run Gooredfix scan, and then Malwarebytes Anti-malware and that helped out alot. It's much better then before, but it still redirects me after i do a search on yahoo or google. I would like some help on what to do please.
Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:28 AM, on 12/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5066E
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5066E
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - S-1-5-18 Startup: scandisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O18 - Filter hijack: text/html - {ed60015e-a058-4bbf-a7d5-fbcd35765be6} - (no file)
O20 - AppInit_DLLs:      C:\WINDOWS\system32\guard32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe

--
End of file - 8924 bytes

[Sbeih]

Oh and upon starting up i get this error message that Remind_Xp.exe was unable to start, i don't know what that is.

[Hoov]

Hello, welcome to SpywareHammer.

I go by Hoov, and I will be helping you with your problem. I must ask you to do a few things for me.

First, tell me everything that you have done, if anything, to try and fix this problem.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

Now onto trying to fix your computer.

Remind_Xp.exe is Subscription reminder to unlock unkimited use for SoftThinks CD Creator CD/DVD rewriting software, usually supplied with HP PC's as a pre-installed package

We will deal with that later.

Please run ccleaner to remove the temporary files from your computer, and then run Malwarebytes' Anti-Malware to remove malware. Use the instructions below for them. After running both, test out your browser to see if it is still being redirected.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.[/COLOR]

In the Applications Tab:

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.[/COLOR]

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

[Sbeih]

I had this problem way worse, it would'nt let me run videos on youtube, myspace wouldn't function right, redirect my every search and other things. What i did to fix it was run Gooredfix and then scan afterwards with MBAM and it fixed the problem almost completely. Now i rarely get redirected or a popup pops in another tab, its usually the same popup

MBAM log after CCleaner:

Malwarebytes' Anti-Malware 1.42
Database version: 3407
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/21/2009 9:39:44 PM
mbam-log-2009-12-21 (21-39-44).txt

Scan type: Quick Scan
Objects scanned: 128014
Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Hoov]

What popup is it? If it is always the same it could just be a minor problem? Are you still getting redirected? Check out IE closely, gooredfix is only good for the redirect issue if it affects FireFox only. It has no affect on the IE redirect problem (as far as we know). If IE is fixed, can you go to the logs tab in Malwarebytes' Anti-Malware and open the log that shows the cleanup after you ran gooredfix and post that log. All you have to do is double click the line for the date / time of the scan and the log will open up.

[Sbeih]

Well in FireFox its a popup in another tab and on the URL "http://www.local-news-online.com/?t202id=12893&t202kw=" and i still get redirected randomly on my searches,  on IE i just get redirected to different random sites in my searches as well.

MBAM log after gooredfix scan on the 16th:

Malwarebytes' Anti-Malware 1.42
Database version: 3372
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/16/2009 1:46:04 AM
mbam-log-2009-12-16 (01-46-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 212225
Time elapsed: 49 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\system32\Iasv32.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5b24b16-23f2-41ad-f4e4-00abc39c0004} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\winsts (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\notepad.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\system32\Iasv32.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\c5urpmua.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\acad.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\enhs.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\waees.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.John\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.John\Local Settings\Temp\y.exy (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.John\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ndisdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsts.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\IXP000.TMP\bm1016.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.John\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.John\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

[Hoov]

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[Sbeih]

i get an error when trying to run combofix...

32788R22FWJFW\n.pif

Windows cannot access this specified device, path, or file.You may not have the appropiate permission to access this file.

[Sbeih]

Nevermind that previous post i forgot to run as owner anyways heres my combofix log:

ComboFix 09-12-22.03 - Owner 12/23/2009   0:26.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1013.645 [GMT -8:00]
Running from: c:\documents and settings\Owner.John\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2382158301-2660917145-2720483834-500
c:\windows\kb913800.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS


(((((((((((((((((((((((((   Files Created from 2009-11-23 to 2009-12-23  )))))))))))))))))))))))))))))))
.

2009-12-22 05:52 . 2009-12-22 05:52   3174400   ----a-w-   c:\documents and settings\All Users\Application Data\SwiftKit\Temp Data\SwiftKit-RS.exe
2009-12-22 05:26 . 2009-12-22 05:26   --------   d-----w-   c:\program files\CCleaner
2009-12-22 03:18 . 2009-12-22 03:18   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\Yahoo!
2009-12-20 04:52 . 2009-12-20 04:52   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\acccore
2009-12-20 04:52 . 2009-12-20 04:54   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\AIM
2009-12-20 04:52 . 2009-12-20 04:52   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\AOL
2009-12-20 04:51 . 2009-12-20 04:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\AIM
2009-12-20 04:50 . 2009-12-20 04:51   --------   d-----w-   c:\program files\AIM
2009-12-20 04:50 . 2009-12-20 04:50   --------   d-----w-   c:\program files\Common Files\Software Update Utility
2009-12-20 04:34 . 2009-12-20 06:03   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\Yahoo
2009-12-20 04:33 . 2009-12-20 06:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-20 04:33 . 2009-12-20 04:34   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\Yahoo!
2009-12-20 04:28 . 2009-12-20 04:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-20 04:28 . 2009-11-10 22:39   607472   ----a-w-   c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-12-20 04:25 . 2009-12-20 04:33   --------   d-----w-   c:\program files\Yahoo!
2009-12-18 06:28 . 2009-12-23 08:36   52224   ----a-w-   c:\documents and settings\Owner.John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-18 06:28 . 2009-12-18 06:28   117760   ----a-w-   c:\documents and settings\Owner.John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 06:27 . 2009-12-18 06:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-18 06:27 . 2009-12-18 06:27   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-18 06:27 . 2009-12-18 06:27   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\SUPERAntiSpyware.com
2009-12-18 06:27 . 2009-12-18 06:27   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-17 08:34 . 2009-12-17 08:34   --------   d-----w-   c:\program files\Trend Micro
2009-12-16 06:15 . 2009-12-16 06:15   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\COMODO
2009-12-13 22:19 . 2009-12-13 22:19   46080   ----a-w-   C:\utpo.exe
2009-12-12 19:43 . 2009-12-12 19:43   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-12-12 02:48 . 2009-12-12 02:48   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2009-12-03 22:50 . 2009-12-03 22:50   --------   d-sh--w-   c:\documents and settings\Guest\IECompatCache
2009-12-02 23:48 . 2009-12-02 23:48   --------   d-sh--w-   c:\windows\ftpcache
2009-11-30 03:09 . 2006-04-11 08:49   118784   ------w-   c:\windows\system32\PTTreeIcons.dll
2009-11-30 02:43 . 2009-12-13 00:50   --------   d-----w-   c:\program files\Kids Cam Show and Share Creativity Center
2009-11-29 16:56 . 2009-11-29 16:56   --------   d-----w-   c:\documents and settings\Guest\Local Settings\Application Data\Identities
2009-11-26 02:40 . 2009-12-14 07:09   --------   d-----w-   c:\documents and settings\Guest\Application Data\Apple Computer

[Hoov]

Please don't put them into a quote or code box, just paste logs directly into your reply. Can you please post the log again, I need to see the entire log.

How is your computer running now?

[Sbeih]

I noticed it's also runing much faster and no popups, i was also searching on yahoo and no redirection, i think it might have been fixed. Now what about Remind_xp.exe?

combo fix log:

ComboFix 09-12-22.03 - Owner 12/23/2009   0:26.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1013.645 [GMT -8:00]
Running from: c:\documents and settings\Owner.John\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2382158301-2660917145-2720483834-500
c:\windows\kb913800.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS


(((((((((((((((((((((((((   Files Created from 2009-11-23 to 2009-12-23  )))))))))))))))))))))))))))))))
.

2009-12-22 05:52 . 2009-12-22 05:52   3174400   ----a-w-   c:\documents and settings\All Users\Application Data\SwiftKit\Temp Data\SwiftKit-RS.exe
2009-12-22 05:26 . 2009-12-22 05:26   --------   d-----w-   c:\program files\CCleaner
2009-12-22 03:18 . 2009-12-22 03:18   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\Yahoo!
2009-12-20 04:52 . 2009-12-20 04:52   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\acccore
2009-12-20 04:52 . 2009-12-20 04:54   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\AIM
2009-12-20 04:52 . 2009-12-20 04:52   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\AOL
2009-12-20 04:51 . 2009-12-20 04:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\AIM
2009-12-20 04:50 . 2009-12-20 04:51   --------   d-----w-   c:\program files\AIM
2009-12-20 04:50 . 2009-12-20 04:50   --------   d-----w-   c:\program files\Common Files\Software Update Utility
2009-12-20 04:34 . 2009-12-20 06:03   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\Yahoo
2009-12-20 04:33 . 2009-12-20 06:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-20 04:33 . 2009-12-20 04:34   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\Yahoo!
2009-12-20 04:28 . 2009-12-20 04:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-20 04:28 . 2009-11-10 22:39   607472   ----a-w-   c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-12-20 04:25 . 2009-12-20 04:33   --------   d-----w-   c:\program files\Yahoo!
2009-12-18 06:28 . 2009-12-23 08:36   52224   ----a-w-   c:\documents and settings\Owner.John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-18 06:28 . 2009-12-18 06:28   117760   ----a-w-   c:\documents and settings\Owner.John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-18 06:27 . 2009-12-18 06:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-18 06:27 . 2009-12-18 06:27   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-18 06:27 . 2009-12-18 06:27   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\SUPERAntiSpyware.com
2009-12-18 06:27 . 2009-12-18 06:27   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-17 08:34 . 2009-12-17 08:34   --------   d-----w-   c:\program files\Trend Micro
2009-12-16 06:15 . 2009-12-16 06:15   --------   d-----w-   c:\documents and settings\Owner.John\Local Settings\Application Data\COMODO
2009-12-13 22:19 . 2009-12-13 22:19   46080   ----a-w-   C:\utpo.exe
2009-12-12 19:43 . 2009-12-12 19:43   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-12-12 02:48 . 2009-12-12 02:48   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2009-12-03 22:50 . 2009-12-03 22:50   --------   d-sh--w-   c:\documents and settings\Guest\IECompatCache
2009-12-02 23:48 . 2009-12-02 23:48   --------   d-sh--w-   c:\windows\ftpcache
2009-11-30 03:09 . 2006-04-11 08:49   118784   ------w-   c:\windows\system32\PTTreeIcons.dll
2009-11-30 02:43 . 2009-12-13 00:50   --------   d-----w-   c:\program files\Kids Cam Show and Share Creativity Center
2009-11-29 16:56 . 2009-11-29 16:56   --------   d-----w-   c:\documents and settings\Guest\Local Settings\Application Data\Identities
2009-11-26 02:40 . 2009-12-14 07:09   --------   d-----w-   c:\documents and settings\Guest\Application Data\Apple Computer
2009-11-26 02:18 . 2009-11-26 02:18   --------   d-----w-   c:\documents and settings\Guest\Local Settings\Application Data\Adobe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 08:36 . 2009-06-17 04:58   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\LimeWire
2009-12-23 08:12 . 2009-06-13 00:00   1474832   ----a-w-   c:\windows\system32\drivers\sfi.dat
2009-12-22 09:55 . 2009-06-12 21:50   --------   d-----w-   c:\program files\Napster
2009-12-22 09:55 . 2009-06-12 21:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Napster
2009-12-22 09:54 . 2009-11-14 23:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\LogiShrd
2009-12-22 09:54 . 2009-11-14 23:06   --------   d-----w-   c:\program files\Common Files\logishrd
2009-12-22 07:58 . 2009-06-12 23:19   --------   d-----w-   c:\program files\SwiftKit
2009-12-22 07:58 . 2009-06-12 22:39   39   ----a-w-   c:\documents and settings\Owner.John\jagex_runescape_preferences.dat
2009-12-22 07:57 . 2009-09-14 01:33   69   ----a-w-   c:\documents and settings\Owner.John\jagex_runescape_preferences2.dat
2009-12-20 08:23 . 2007-10-18 05:31   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2009-12-20 04:50 . 2009-06-12 21:50   --------   d-----w-   c:\program files\Common Files\AOL
2009-12-16 08:53 . 2009-06-12 22:36   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-16 08:53 . 2009-10-09 05:04   4844296   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-14 07:09 . 2009-11-16 03:42   56328   ----a-w-   c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-13 09:16 . 2009-11-03 06:59   --------   d-----w-   c:\program files\TeamViewer
2009-12-13 09:05 . 2009-06-12 21:51   --------   d-----w-   c:\program files\Common Files\Real
2009-12-13 09:02 . 2009-10-31 15:49   --------   d-----w-   c:\program files\IObit
2009-12-08 23:01 . 2005-01-10 01:26   56328   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-07 05:00 . 2009-06-12 21:42   --------   d-----w-   c:\program files\Microsoft ActiveSync
2009-12-04 00:14 . 2009-06-12 22:36   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13 . 2009-06-12 22:36   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-03 03:48 . 2009-06-12 21:53   --------   d-----w-   c:\program files\Microsoft Works
2009-11-26 08:11 . 2009-06-12 23:02   171552   ----a-w-   c:\windows\system32\guard32.dll
2009-11-26 08:11 . 2009-06-12 23:02   133064   ----a-w-   c:\windows\system32\drivers\cmdguard.sys
2009-11-18 09:34 . 2009-06-12 23:02   87104   ----a-w-   c:\windows\system32\drivers\inspect.sys
2009-11-18 09:34 . 2009-06-12 23:02   25160   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
2009-11-16 03:43 . 2009-11-16 03:43   --------   d-----w-   c:\documents and settings\Guest\Application Data\Malwarebytes
2009-11-14 23:15 . 2009-11-14 23:15   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\Leadertech
2009-11-12 03:37 . 2009-11-12 03:37   --------   d-----w-   c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-10 23:57 . 2009-11-10 23:57   --------   d-----w-   c:\program files\Microsoft
2009-11-10 23:56 . 2009-11-10 23:56   --------   d-----w-   c:\program files\Windows Live
2009-11-10 23:56 . 2009-11-10 23:56   --------   d-----w-   c:\program files\Windows Live SkyDrive
2009-11-10 23:51 . 2009-11-10 23:51   --------   d-----w-   c:\program files\Common Files\Windows Live
2009-11-04 16:41 . 2009-06-12 21:48   --------   d-----w-   c:\program files\Java
2009-11-04 16:40 . 2009-11-04 16:40   152576   ----a-w-   c:\documents and settings\Owner.John\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 20:22 . 2009-06-12 23:02   --------   d-----w-   c:\program files\COMODO
2009-11-03 07:42 . 2009-10-09 07:12   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\Comodo
2009-11-03 06:59 . 2009-11-03 06:59   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\TeamViewer
2009-11-03 06:55 . 2009-11-03 06:54   --------   d-----w-   c:\program files\iTunes
2009-11-03 06:54 . 2009-11-03 06:54   --------   d-----w-   c:\program files\iPod
2009-11-03 06:54 . 2009-06-17 04:58   --------   d-----w-   c:\program files\Common Files\Apple
2009-11-03 06:42 . 2009-11-03 06:42   79144   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-31 16:29 . 2009-10-31 16:29   --------   d-----w-   c:\documents and settings\Owner.John\Application Data\IObit
2009-10-31 15:39 . 2009-07-15 21:46   --------   d-----w-   c:\program files\HP
2009-10-29 07:45 . 2007-10-18 05:35   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-10-28 16:20 . 2009-10-28 16:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Nexon
2009-10-21 05:38 . 2007-10-18 05:35   75776   ----a-w-   c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2007-10-18 05:32   25088   ----a-w-   c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2007-10-18 05:32   265728   ----a-w-   c:\windows\system32\drivers\http.sys
2009-10-20 02:00 . 2009-10-20 02:00   3530   ----a-w-   c:\windows\system32\wbers.dat
2009-10-20 02:00 . 2009-10-19 21:07   1455848136   ----a-w-   c:\documents and settings\Owner.John\Application Data\ijjigame\U_AVA_Setup.exe
2009-10-18 07:52 . 2009-10-18 07:52   76242   ----a-w-   c:\windows\~DF1B79.tmp
2009-10-14 21:41 . 2009-10-14 21:41   322392   ----a-w-   c:\windows\system32\wiaaut.dll
2009-10-13 10:30 . 2007-10-18 05:34   270336   ----a-w-   c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2007-10-18 05:34   149504   ----a-w-   c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2007-10-18 05:34   79872   ----a-w-   c:\windows\system32\raschap.dll
2009-10-11 12:17 . 2009-06-12 22:33   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-10-09 04:56 . 2009-10-09 04:56   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-10-07 13:00 . 2009-07-03 01:24   394   ----a-w-   c:\documents and settings\Owner.John\Application Data\wklnhst.dat
2009-05-13 21:55 . 2009-05-13 21:55   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-17 2002160]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Aim"="c:\program files\AIM\aim.exe" [2009-12-01 3951976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-01-15 8744960]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-18 1800464]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner.John\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Nexon\\Combat Arms\\Engine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56816:TCP"= 56816:TCP:*:Disabled:Pando Media Booster
"56816:UDP"= 56816:UDP:*:Disabled:Pando Media Booster

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [6/12/2009 3:02 PM 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/12/2009 3:02 PM 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S0 yfyflo;yfyflo;c:\windows\system32\drivers\ehskw.sys --> c:\windows\system32\drivers\ehskw.sys [?]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.John\Application Data\Mozilla\Firefox\Profiles\h8q1lrwh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Owner.John\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe
HKU-Default-Run-notepad - c:\windows\system32\config\SYSTEM~1\ntload.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 00:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\documents and settings\Owner.John\Application Data\LimeWire\mozilla-profile\places.sqlite-stmtjrnl 8200 bytes
c:\documents and settings\Owner.John\Application Data\LimeWire\promotion\promodb.log 42 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-23  00:41:20 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-23 08:41

Pre-Run: 219,203,911,680 bytes free
Post-Run: 219,158,032,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition"/fastdetect

- - End Of File - - 54B867027BBC775AB786B6215DD66372

[Hoov]

Lets see if we can fix that startup program the easy way. Go to the start button, and then go to all programs, and then go to the startup folder. If Remind_xp.exe is listed, right click on it and select delete. Then reboot the computer and see if the warning message pops up again. Let me know.

[Sbeih]

It wasn't in the Startup folder but i deleted it myself, i went to my computer, search all files and folders for Remind_xp.exe. It found it and i deleted it, restarted the computer and it didn't pop out. Thanks alot though with the combofix my computer is running smooth with no interruptions. Ill just repost again if something does come up thanks again for the help I really appreciate it.

[Hoov]

Now  there are a few thing's you need to do to fully clean your system and keep it secure.


Uninstall Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTC
Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite, EasyCleaner, Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

Disable and Enable System Restore.
I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.
For XP use these instructions, Windows XP System Restore Guide
Reboot
Re-enable system restore with instructions from tutorial above
Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall). There are some good basic instructions for that here.

Use a different browser other than  IE (most exploits are pointed towards IE). One of them is
Firefox.
It is also worth trying Thunderbird for controlling spam in your e-mail.

Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may Ave you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware

Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.
 
Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose. 


Never run two Antivirus programs or two Firewalls  at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


 MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates. I also suggest running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List and Rogue Applications List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

We have a good guide here at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

Let us know if you have any more problems, either new or old.
Have a good time surfing the net, but stay safe.
If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions, ask away, that is why I am here.

[Sbeih]

it won't let me unistall combofix says i don't have permission. When i try and run it with permission it still won't let me.