Hi,

Hope you can help. Can I first say that I am in no way computer literate and the thread title was all I could think of to explain what seems to be happening. Can I stress that anything techno speak is a bit beyond me, so if anyone can help, please reply as though you were addressing dumb and dumber! Me being dumber!

I have done something really stupid that has given me serious problems ever since. I'm afraid to say I'm a bit of a bejeweled blitz addict on facebook and a few of weeks ago the application was not available, so I had a look around FB for something similar. I can't remember the name of the game I found but on logging off I lost concentration and just clicked on a button which made the site my homepage. I managed to get rid of this, so I thought and have deleted all cookies, etc several times. For a while nothing happened except popups kept occuring, mainly desperate for a date tonight, hot singles in your area type ones.

Last week I tried logging onto my most visited site (a UK football club's forum) and kept getting an address in the space at the top of the webpage that had some words in front of the website's address that weren't normally there. I kept getting a page not available, but it wasn't the usual one you get with IE, it was titled desktopsmileys. If I remember correctly desktopsmileys was the word in front of the site's address that I was trying to access. At first I thought nothing of it, that the site might have been down but I logged on ok the next day in work and could see that other forum users had posted the night before. Tried again from home in the evening and had the same result. The next evening I purchased a spyware package online, ran it and deleted all identified malicious things it suggested. But when I tried to access the website it was like I was in some sort of loop. The page flashed continuously, the address was correct at the start but ended in something like /?:{}+_(&%$%^*(@~}+£$&^^>>>?:{... Just loads of random characters, with the bar at the top of the page alternating between "connecting" and the string of characters. I was trying to access the site from the link in my favourites menu. As it is an offical club site I also tried going through that website, same result. I tried a link from a subscribed to thread email, same result. Finally I tried simply typing the address in but got the same result. Don't know what else to do so I googled computer help and you guys showed up!

Tonight I have downloaded and run spybot S&D
Ran my paid-for anti virus programme (TalkTalk Online Security) – 6 system files that could not be deleted. This is the report:

aAdvanced SystemCare Update History


v3.3.4

* Fixed bugs for 64bit Windows 7
+ Improved AutoCare function


v3.3.3

+ Improved System Optimization module
* Fixed general bugs


v3.3.2

+ Added detailed online Help
+ Fixed compatible bugs in Registry Scan module
* Fixed general bugs


v3.3.1

+ Added Internet Booster tool
+ Added Clone File Finder tool
+ Improved Disk Explorer tool
+ Improved Registry Scan module
* Fixed main program startup bug
* Fixed compatible bug of AutoUpdate function
* Fixed bugs in Security Defense module with IE 8


v3.2.0

+ Improved Spyware Removal function
+ Added "Game Booster"
+ Supported "Google Chrome" privacy sweep
+ Improved "disk defragment" engine
+ Improved "Utilities" section
* Fixed bugs in update function
* Fixed general bugs


v3.1.2

* Improved update function
* Improved "Utilities" section
* Fixed general bugs

v3.1.1

+ Improved Registry scan module

v3.1.0

* Supported Windows XP/Vista 64bit edition
* Added support for FireFox 3
* Fixed general bugs

v3.0.1

* Fixed compatible bugs
* Fixed bugs in installation

v3.0.0

+ Added new functions, features and tools
+ Improved overall modules and functions
+ Applied new interface

Then I downloaded the HIJACK programme and got this from the scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02:16, on 12/08/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE
C:\Program Files\TalkTalk Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\TalkTalk Online Security\Common\FSMB32.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe
C:\firststeps\OnlineDiagnostic\TestManager\TestHan dler.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\TalkTalk Online Security\Common\FCH32.EXE
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\TalkTalk Online Security\Common\FAMEH32.EXE
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsqh.exe
C:\Program Files\TalkTalk Online Security\FSAUA\program\fsaua.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fssm32.exe
C:\Program Files\TalkTalk Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\TalkTalk Online Security\FSAUA\program\fsus.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsav32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TalkTalk Online Security\FSGUI\fsguidll.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.ex e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\IObit\Advanced SystemCare 3\Awc.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Access Startup - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - (no file)
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.3.0.4160\NPIEAddOn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: System Search Dispatcher - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - C:\Program Files\System Search Dispatcher\1.2.0.750\ssd.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [recinfo966] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TalkTalk Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O13 - Gopher Prefix:
O15 - Trusted Zone: Liverpoolfc.tv : Login Error
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHan dler.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 10164 bytes

The site I'm trying to access is listed near the bottom (015). I've tried adding to trusted sites in case that made a difference but it hasn't.

Appreciate any ideas

Is this the only site, you have a problem to access.
What browser, version are you using?
Did you try different browser?

I also see some unwanted entries in HJT, so we better run some checks.

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15020 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4.
Post fresh HijackThis log.
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Originally Posted by broni

Is this the only site, you have a problem to access.
What browser, version are you using?
Did you try different browser?

I also see some unwanted entries in HJT, so we better run some checks.

Hi broni,

Thank you for replying.

Yes this is the only site I am having problems with. It's just the forums part of the site. I can access all other areas.

I recently installed Internet Explorer 8.

No, haven't tried a different browser. No idea how I would do that.

I'm off now to do everything you have suggested. Fingers crossed!

Originally Posted by broni

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

Hi,

I've got upto this part but after tapping the F8 key over a hundred times nothing happens. I've tried shutting down completely and rebooting a couple of times but with no result.

In case this helps I am using a Fujitsu Siemens Amilo Li2727 laptop which is a very basic model.

Thanks!

Run Super in normal mode then.

Originally Posted by whyohwhyohwhy

Hi,

I've got upto this part but after tapping the F8 key over a hundred times nothing happens. I've tried shutting down completely and rebooting a couple of times but with no result.

In case this helps I am using a Fujitsu Siemens Amilo Li2727 laptop which is a very basic model.

Thanks!

Please ignore this post, I wasn't pressing the F8 at the start of booting up.

I've run the Superspy scan, here are the results:

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 08/15/2009 at 04:59 PM

Application Version : 4.27.1002

Core Rules Database Version : 4058
Trace Rules Database Version: 1998

Scan type : Complete Scan
Total Scan Time : 00:41:59

Memory items scanned : 271
Memory threats detected : 0
Registry items scanned : 6320
Registry threats detected : 32
File items scanned : 76487
File threats detected : 33

Adware.SystemSearchDispatch
HKLM\Software\Classes\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}
HKCR\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}
HKCR\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}
HKCR\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\InprocServer32
HKCR\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\InprocServer32#ThreadingModel
HKCR\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\ProgID
HKCR\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\Programmable
HKCR\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\TypeLib
HKCR\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\VersionIndependentProgID
HKCR\ExplorerBar.FunRedirector.1
HKCR\ExplorerBar.FunRedirector.1\CLSID
HKCR\ExplorerBar.FunRedirector
HKCR\ExplorerBar.FunRedirector\CLSID
HKCR\ExplorerBar.FunRedirector\CurVer
HKCR\TypeLib\{883DFC00-8A21-411d-956C-73A4E4B7D16F}
HKCR\TypeLib\{883DFC00-8A21-411d-956C-73A4E4B7D16F}\1.0
HKCR\TypeLib\{883DFC00-8A21-411d-956C-73A4E4B7D16F}\1.0\0
HKCR\TypeLib\{883DFC00-8A21-411d-956C-73A4E4B7D16F}\1.0\0\win32
HKCR\TypeLib\{883DFC00-8A21-411d-956C-73A4E4B7D16F}\1.0\FLAGS
C:\PROGRAM FILES\SYSTEM SEARCH DISPATCHER\1.2.0.750\SSD.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{CDBFB47B-58A8-4111-BF95-06178DCE326D}
HKU\S-1-5-21-3311514192-840053139-1308077714-1000\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{CDBFB47B-58A8-4111-BF95-06178DCE326D}
C:\Program Files\System Search Dispatcher\1.2.0.750\Data\eacore.mx
C:\Program Files\System Search Dispatcher\1.2.0.750\Data\URLDynamic.mx
C:\Program Files\System Search Dispatcher\1.2.0.750\Data\URLStatic.mx
C:\Program Files\System Search Dispatcher\1.2.0.750\Data
C:\Program Files\System Search Dispatcher\1.2.0.750\unins000.dat
C:\Program Files\System Search Dispatcher\1.2.0.750\unins000.exe
C:\Program Files\System Search Dispatcher\1.2.0.750
C:\Program Files\System Search Dispatcher
HKCR\Interface\{480098C6-F6AD-4C61-9B5C-2BAE228A34D1}
HKCR\Interface\{480098C6-F6AD-4C61-9B5C-2BAE228A34D1}\ProxyStubClsid
HKCR\Interface\{480098C6-F6AD-4C61-9B5C-2BAE228A34D1}\ProxyStubClsid32
HKCR\Interface\{480098C6-F6AD-4C61-9B5C-2BAE228A34D1}\TypeLib
HKCR\Interface\{480098C6-F6AD-4C61-9B5C-2BAE228A34D1}\TypeLib#Version

Adware.DesktopSmileyToolbar
HKU\S-1-5-21-3311514192-840053139-1308077714-1000\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}
HKU\S-1-5-21-3311514192-840053139-1308077714-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{5617ECA9-488D-4BA2-8562-9710B9AB78D2}

Trojan.DNSChanger-Codec
HKU\S-1-5-21-3311514192-840053139-1308077714-1000\Software\fcn

Adware.MediaAccessStartup
C:\Program Files\Media Access Startup\1.3.0.790\Data\config.md
C:\Program Files\Media Access Startup\1.3.0.790\Data
C:\Program Files\Media Access Startup\1.3.0.790\FF\chrome\content\HPAddOn.js
C:\Program Files\Media Access Startup\1.3.0.790\FF\chrome\content\HPAddOn.xul
C:\Program Files\Media Access Startup\1.3.0.790\FF\chrome\content
C:\Program Files\Media Access Startup\1.3.0.790\FF\chrome\HPAddOn.jar
C:\Program Files\Media Access Startup\1.3.0.790\FF\chrome
C:\Program Files\Media Access Startup\1.3.0.790\FF\chrome.manifest
C:\Program Files\Media Access Startup\1.3.0.790\FF\components\HPFFAddOn.dll
C:\Program Files\Media Access Startup\1.3.0.790\FF\components\HPFFAddOn.xpt
C:\Program Files\Media Access Startup\1.3.0.790\FF\components\HPFFHelperComponen t.js
C:\Program Files\Media Access Startup\1.3.0.790\FF\components
C:\Program Files\Media Access Startup\1.3.0.790\FF\install.rdf
C:\Program Files\Media Access Startup\1.3.0.790\FF
C:\Program Files\Media Access Startup\1.3.0.790\HPCommon.dll
C:\Program Files\Media Access Startup\1.3.0.790\hpieaddon.0ll
C:\Program Files\Media Access Startup\1.3.0.790\hppx.exe
C:\Program Files\Media Access Startup\1.3.0.790\MAHelper.exe
C:\Program Files\Media Access Startup\1.3.0.790\unins000.dat
C:\Program Files\Media Access Startup\1.3.0.790\unins000.exe
C:\Program Files\Media Access Startup\1.3.0.790
C:\Program Files\Media Access Startup

Adware.DoubleD
HKU\S-1-5-21-3311514192-840053139-1308077714-1000\Software\DoubleD
HKLM\Software\DoubleD
HKLM\Software\DoubleD\DoubleD
C:\Program Files\DoubleD\GamingHarbor Toolbar
C:\Program Files\DoubleD

I'm off to do the Malwarebytes bit now. There were lots of threats found, including one trojan and that desktop smiley

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.40
Database version: 2630
Windows 6.0.6000

15/08/2009 18:11:39
mbam-log-2009-08-15 (18-11-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 165862
Time elapsed: 43 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\explorerbar.funexplorer (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\explorerbar.funexplorer.1 (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6160f76a-1992-4b17-a32d-0c706d159105} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{877f3eab-4462-44df-8475-6064eafd7fbf} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c28a0312-c403-417b-a425-a915bc0519cd} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{35b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{35b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ac5ab953-ed25-4f9c-87f0-b086b0178ffa} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{25b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{25b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{16b6279b-9ff5-41fb-8bf9-404324f5dd1f}}_is1 (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{1fb52ab3-5987-45a2-85e0-f3ec30dddc29}}_is1 (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{c5096216-7703-409e-b85a-8a6ee7395128}}_is1 (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Live-Player (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extens ions\{0ba0192d-94a5-45e3-b2b8-3ec5a1a0b5ec} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extens ions\{2224e955-00e9-4613-a844-ce69fccaae91} (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Internet Saving Optimizer (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160 (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\Data (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\chrome (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\chrome\content (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\components (Adware.DoubleD) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Lyn\Local Settings\Application Data\cssoaae_navps.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Users\Lyn\Local Settings\Application Data\cssoaae_nav.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Users\Lyn\Local Settings\Application Data\cssoaae.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Users\Lyn\Local Settings\Application Data\cssoaae.exe (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\NPIEAddOn.dll (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\adwpx.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\NPCommon.dll (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\unins000.dat (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\unins000.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\Data\config.md (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\chrome.manifest (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\install.rdf (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\chrome\NPAddOn.jar (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\chrome\content\NPAddOn.js (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\chrome\content\NPAddOn.xul (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\components\NPFFAddOn.dll (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\components\NPFFAddOn.xpt (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer\3.3.0.4160\FF\components\NPFFHelperCompo nent.js (Adware.DoubleD) -> Quarantined and deleted successfully.


Thank you very much for your help so far!

Originally Posted by broni

RESTART COMPUTER!

STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15020 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

Having trouble running this. First time I tried everything locked up mid-scan. I'll try again and report back.

Edit: Same thing happened...everything froze up. It seemed to get stuck on \Cdfs if that means anything. That was at the bottom of the page when everything froze. Cursor wouldn't move, Control Alt Delete wouldn't work so I had to hold the "switch on" button for a while to shut down. I'll try your other suggested links and report back

- http://www.softpedia.com/get/Interne...ers/GMER.shtml I get a page error. 404 not found, we are sorry but there is no softpedia web page matching your entry...

|MG| GMER 1.0.15.15020 Download I don't see an .exe file to download. There is a link to recommended download: Click here to check for system problems. Should I try this?

That's fine....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   
   NOTE. If Combofix asks you to install Recovery Console, please allow it.
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Originally Posted by broni

[*]Close any open browsers.[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

I'm really sorry broni, but I'd like to check how to disable my antivirus. Not sure how I do that.

Also, I presume if I click close on the spyware stuff I have (not the one you recommended but the one I had tried on my own before finding this site - that opens whenever I switch on. Am I disabling it by just clicking on close?

Thank you for your continued patience, it is really appreciated!