I ran ComboFix and it appears to have fixed the search engine hijacker problem. I have just used GOOGLE and Yahoo with Firefox with no problem. Your site guided me to this solution with its tips. Thanks much!!!
Here is the ComboFix log:
ComboFix 09-06-29.07 - JEFF 06/30/2009 20:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1681 [GMT -4:00]
Running from: c:\documents and settings\JEFF\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\temp\1cb
c:\temp\tn3
c:\windows\system32\AybKknnn.ini
c:\windows\system32\AybKknnn.ini2
c:\windows\system32\cIPoonpo.ini
c:\windows\system32\cIPoonpo.ini2
c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus\Rapid Antivirus.ini
c:\windows\system32\DfPooUtv.ini
c:\windows\system32\DfPooUtv.ini2
c:\windows\system32\drivers\hjgruidpuftuwt.sys
c:\windows\system32\Drivers\vessj.sys
c:\windows\system32\hjgruiajyxosfi.dll
c:\windows\system32\hjgruidguxbsob.dll
c:\windows\system32\hjgruinixmgcsw.dat
c:\windows\system32\hjgruiomkjxwar.dat
c:\windows\system32\Jmponnpo.ini
c:\windows\system32\Jmponnpo.ini2
c:\windows\system32\sBcIQXyb.ini
c:\windows\system32\sBcIQXyb.ini2
c:\windows\Tasks\kjtojuma.job
c:\windows\Tasks\oqjocwop.job
c:\windows\Tasks\yaskolop.job
c:\windows\winhelp.ini
D:\Autorun.inf
D:\Desktop.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hjgruipsgiemed
((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.
2009-06-30 23:27 . 2009-06-30 23:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 23:26 . 2009-06-30 23:26 152576 ----a-w- c:\documents and settings\JEFF\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 00:08 . 2009-06-30 00:08 -------- d-----w- c:\program files\Trend Micro
2009-06-06 21:09 . 2009-06-06 21:09 -------- d-----w- c:\windows\system32\wbem\Repository
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 00:49 . 2009-05-13 22:15 163616 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-01 00:49 . 2009-03-16 22:31 117760 ----a-w- c:\documents and settings\JEFF\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-01 00:48 . 2009-05-13 22:15 5028384 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-01 00:45 . 2009-05-13 22:15 68324 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-01 00:45 . 2009-05-13 22:15 16292 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-01 00:45 . 2008-04-20 23:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-07-01 00:45 . 2008-04-20 23:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-07-01 00:45 . 2008-04-20 23:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-07-01 00:45 . 2008-04-20 23:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-07-01 00:45 . 2008-04-20 23:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-07-01 00:45 . 2008-04-20 23:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-07-01 00:45 . 2008-04-20 23:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-07-01 00:45 . 2008-04-20 23:36 124938 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-06-30 23:27 . 2006-09-15 06:43 -------- d-----w- c:\program files\Java
2009-06-30 01:40 . 2004-08-04 21:00 11973 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-06-29 23:27 . 2009-01-01 23:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 23:26 . 2009-03-01 19:03 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-28 18:39 . 2009-01-02 00:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-22 21:03 . 2008-04-29 23:18 4130 ----a-w- c:\documents and settings\JEFF\Application Data\wklnhst.dat
2009-06-17 15:27 . 2009-01-01 23:16 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-01-01 23:16 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-07 16:04 . 2008-04-20 18:00 117008 ----a-w- c:\documents and settings\JEFF\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 23:05 . 2009-05-30 21:10 -------- d-----w- c:\program files\Ubisoft
2009-05-31 00:07 . 2009-05-31 00:07 -------- d-----w- c:\program files\Strategy First
2009-05-30 21:25 . 2006-09-15 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 00:42 . 2009-04-14 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-05-14 01:10 . 2009-05-13 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2008-04-29 23:41 . 2008-04-29 23:40 4265560 ----a-w- c:\program files\FLV PlayerRCATSetup.exe
2008-04-29 23:39 . 2008-04-29 23:39 411248 ----a-w- c:\program files\FLV PlayerRCSetup.exe
2006-11-24 17:20 . 2006-11-24 17:31 2807406 ----a-w- c:\program files\RRDialAccess-3.01-win.exe
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-21 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-23 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-07-31 1193200]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-07-31 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-07-31 259312]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-02-26 77887]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-20 1519616]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 17:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 12:06 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 55024]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]
S0 noctxlt;noctxlt;c:\windows\system32\drivers\bwhytii.sys --> c:\windows\system32\drivers\bwhytii.sys [?]
S2 npclkx;npclkx;c:\windows\system32\drivers\gyanwnk.sys --> c:\windows\system32\drivers\gyanwnk.sys [?]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [4/28/2008 10:57 PM 34916]
.
Contents of the 'Scheduled Tasks' folder
2009-06-14 c:\windows\Tasks\CAAntiSpywareScan_Daily as JEFF at 4 35 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe
HKU-Default-Run-msiexec.exe - msiconf.exe
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\JEFF\Application Data\Mozilla\Firefox\Profiles\308kokwn.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-i3752&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
hxxp://www.usatoday.com/
FF - prefs.js: keyword.URL -
hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-06-30 20:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
- - - - - - - > 'lsass.exe'(1044)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
- - - - - - - > 'explorer.exe'(2488)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-07-01 20:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 00:54
Pre-Run: 47,421,136,896 bytes free
Post-Run: 47,280,513,024 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
240 --- E O F --- 2008-12-18 03:37
General