[nam_id]

So I ran Hijack This and DL'd the LSP-Fix tool.

Here is my file from Hijack This:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:42:16 AM, on 11/8/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchFilterHost.exe
L:\HijackThis.exe

O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - http://dlm.tools.aka...vex-2.2.4.1.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\Windows\system32\AstSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 3247 bytes


The question is what should I co with the rest of these? I am just nervouse enough of the winsock items to not just blindly delete them.

Any help would be greatly appreciated.

Thanks!!!!

[Advertisements]

Have a look here

What problems are you experiencing ?

[Essexboy]

Have a look here

What problems are you experiencing ?

[nam_id]

Wow, thanks for getting back to me so fast.

I have something in the system that is causing a redirect at start-up of IE8 or Firefox to a windows registry cleaner. Also, I have a number of files that won't function. I keep getting "host" errors. I have used AVG, Ad-Aware, Malwarebytes, and Obit to try and clean it, but it doesn't ever get completely rid of it.

The more it runs, the more it clogs things up. Now, I am even getting the occasional blue screen of death when I try and run Gmer. It locks up and shuts down mid scan.

Been chasing this thing around for a couple of days and it is driving me nuts!

[Essexboy]

OK then let me have a looksee By the way Hijackthis is no longer man enough for the job, just doesn't look deep enough

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  
  
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[nam_id]

Ok, here is the log. I got an error message about 1/4 of the way through the scan that said, "There is no disk in the drive. Pleas insert a disk into drive\Device\Harddisk1\DR1." If memory serves it was this same name on gmer that caused the blue screen of death too.

OTL logfile created on: 11/8/2010 9:22:32 AM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = L:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy



hope that helps. Let me know if you need anything more.

Thanks!

Attached Files

•  OTL.Txt   80.86KB   267 downloads

[nam_id]

ooops here's the Extras file

Attached Files

•  Extras.Txt   86.73KB   245 downloads

Edited by nam_id, 08 November 2010 - 10:42 AM.

[Essexboy]

The first thing I noticed was that you have a lot of registry tweaking utilities, to be honest these can do more harm than good. You also appear to running IObit, MSE and Norton as Antivirus programmes

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time.

There are basically two types of these programs:
On-Access and On-Demand

On-Access Scanners
As the name implies, are scanners that run in the background all the time the PC is turned on and running. The main function of an On-Access scanner is to monitor activity on your machine.

On-Demand Scanners
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine

You need to bring it down to one Antivirus alone.

Lets try a little TLC first

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

THEN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and check disc


FINALLY

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:
  
  
  
  
• If you are prompted with options, enter N at the prompt and press Enter
• Press Enter again
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

[nam_id]

The defrag and compacting took a while.

But here's the text for the MBRcheck.

Attached Files

•  MBRCheck_11.08.10_12.29.05.txt   10.92KB   279 downloads

[Essexboy]

Are you still getting the initial redirect when starting your browsers ?

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[nam_id]

Back, sorry had to run an errand.

And yes, I am still getting the redirect to this site:

http://click.s3.amaz.../indexpcsm.html

Here is my log from the combofix.




And now you see why I am just a wee bit frustrated with this one!

Attached Files

•  Combolog.txt   15.29KB   242 downloads

[Essexboy]

OK CF reported a possible MBR infection


Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

[nam_id]

That has ran and here is the log.

by the way when I opened up my browser this time, I did not get the redirect.

[Essexboy]

Could you post the log please

[nam_id]

Shoot, thought I did that. Here's attempt #2.

Attached Files

•  TDSSKiller.2.4.7.0_08.11.2010_15.15.02_log.txt   55.81KB   346 downloads

[Essexboy]

Detected object count: 1
\HardDisk0 - will be cured after reboot
Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

That was the baby

Looking at that I am a happy bunny

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
  Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe