yahoo and google redirect help needed [Archive]

View Full Version : yahoo and google redirect help needed

lt1bird

2011-10-21, 12:11

Thanks for the help, repeat customer.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Dan at 6:07:29 on 2011-10-21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.414 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Norton antivirus\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hot Keyboard Pro1\HotKeyb.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Norton antivirus\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\CoCreate\MEls\MEls32.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
c:\program files\oem\msaspgh\msaspghost.exe
C:\Program Files\Norton antivirus\rtvscan.exe
C:\Program Files\CoCreate\OSDM_Server_2006\SDserver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dynotunenitrous.com/store/Scripts/default.asp
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Hot Keyboard] c:\program files\hot keyboard pro1\HotKeyb.exe -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
mRun: [GoToMyPC] c:\program files\citrix\gotomypc\g2svc.exe -logon
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [vptray] c:\program files\norton antivirus\vptray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\dan\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Assign &hot key - c:\program files\hot keyboard pro1\IEScript.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1297737672125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5130D4FD-3D68-4F6E-B691-0FCC52C9AC78} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BEAC1E04-F613-40AA-B8BD-9A892AAA96F2} : DhcpNameServer = 192.168.1.2
.
============= SERVICES / DRIVERS ===============
.
R1 CXAVSAUD;AOpen VA2000 Audio Capture;c:\windows\system32\drivers\cxavsaud.sys [2005-8-17 9856]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-20 366152]
R2 MEls;MEls;c:\program files\cocreate\mels\MEls32.exe [2006-3-1 6410240]
R2 MSASPGHost;MSAS Plugin Host Service;c:\program files\oem\msaspgh\MSASPGHost.exe [2004-9-9 49152]
R2 NAVAPEL;NAVAPEL;c:\program files\norton antivirus\Navapel.sys [2001-12-4 8464]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\norton antivirus\rtvscan.exe [2001-12-5 471040]
R2 SDserver2006;SDserver2006;c:\program files\cocreate\osdm_server_2006\SDserver.exe [2006-10-18 102400]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-20 22216]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-7-26 14336]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2010-1-6 14592]
.
=============== File Associations ===============
.
.scr=AutoCADLTScript
.
=============== Created Last 30 ================
.
2011-10-21 01:15:42 -------- d-----w- c:\documents and settings\dan\application data\Malwarebytes
2011-10-21 01:15:35 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-21 01:15:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-21 01:15:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-20 23:20:29 98816 ----a-w- c:\windows\sed.exe
2011-10-20 23:20:29 518144 ----a-w- c:\windows\SWREG.exe
2011-10-20 23:20:29 256000 ----a-w- c:\windows\PEV.exe
2011-10-20 23:20:29 208896 ----a-w- c:\windows\MBR.exe
2011-10-20 23:20:19 -------- d-----w- C:\ComboFix
2011-10-20 11:06:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 03:21:47 69120 --sha-r- c:\windows\system32\kbdgr0.dll
2011-10-02 21:48:08 -------- d-----w- c:\windows\system32\Silabs
2011-10-02 21:48:06 -------- d-----w- c:\program files\EasyLog USB
2011-09-28 01:42:01 25600 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2011-09-28 01:42:01 25600 ----a-w- c:\windows\system32\drivers\usbser.sys
2011-09-28 01:19:57 -------- d-----w- c:\program files\Lascar
2011-09-25 02:41:09 -------- d--h--w- c:\windows\PIF
.
==================== Find3M ====================
.
.
============= FINISH: 6:08:13.01 ===============

-------------------------------------------------------------------------

Attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/17/2005 11:16:09 AM
System Uptime: 10/20/2011 8:27:53 PM (10 hours ago)
.
Motherboard: AOpen | | UX945G
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | | 2800/mhz
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | | 2800/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 230 GiB total, 179.97 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9
AOpen VA2000 WDM Drivers
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
ATI Display Driver
AutoCAD LT 97
CircuitMaker 6 Student
CoCreate License Server 14.0.1
CoCreate OneSpace Designer Library3D 2006
CoCreate OneSpace Designer Modeling 2006
CoCreate OneSpace Designer Modeling Server 2006
CoCreate OneSpace Modeling Personal Edition
CoCreate OneSpace.net Application Manager
CoCreate OneSpace.net Runtime Environment
CorelDRAW Graphics Suite 12
DWGeditor
EasyLog USB
eDrawings 2006
eMachineShop
EPSON CX 7800 Guide
EPSON Printer Software
EPSON Scan
ERUNT 1.1j
FTDI USB Serial Converter Drivers
getPlus(R) for Adobe
Google Earth
GoToMyPC
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hot Keyboard Pro 2.8
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InterActual Player
Ipswitch WS_FTP Pro
iTunes
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 11
KPT(R) Collection
LiveUpdate 1.7 (Symantec Corporation)
Lotus SmartSuite - English
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Silverlight
MSASPGH
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Nero Suite
Netscape (7.2)
Nikon Message Center
Norton AntiVirus Corporate Edition
OpenOffice.org Installer 1.0
Panel Pilot
PictureProject
Power Commander 3 USB
Power Commander Control Center 3.2.0 (Test Build 1)
PowerDVD
PSIM-in-DOSBox ver: 1.2
PTC ProductView Express - Wildfire 2.0 (F000)
QuickBooks Basic 2002
Quicken 2006
QuickTime
Realtek High Definition Audio Driver
S800
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SolidWorks 2006 Personal Edition
Spybot - Search & Destroy
TFI CODER v1.6
Turbo Lister
Two Stroke Engine Expansion Chamber Design Utility
Ulead PhotoImpact 4.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
WebFldrs XP
Windows Driver Package - Lascar Electronics Ltd. (usbser) Ports (01/02/2010 1.0.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891220
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892627
Windows XP Hotfix - KB893056
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB890760
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB973768
WinZip
.
==== Event Viewer Messages From Past Week ========
.
10/20/2011 8:17:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
10/20/2011 8:12:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/20/2011 8:11:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/20/2011 8:08:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
10/20/2011 7:06:30 AM, error: PlugPlayManager [11] - The device Root\LEGACY_NAVEX15\0000 disappeared from the system without first being prepared for removal.
10/20/2011 7:06:30 AM, error: NAVAP [20] - Unable to initialize the virus scanning engine database files.
.
==== End Of File ===========================

jeffce

2011-10-21, 18:41

Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.
----------

GMER

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------

I see that you have run ComboFix on this system before? When was the last time you ran that tool? If you have the log for that still could you post that please? It would be found here >> C:\ComboFix.txt

In your next reply please post the log created by GMER and let me know what symptoms your system is having that is making you think you have some type of infection? :)

lt1bird

2011-10-22, 00:31

Thanks Jeff for the help. I could not find the combofix log...Dont think I saved it, said nothing was found??

Used combofix a few days ago... Sorry, ran GMER with my antivirus and tea timer on if thats an issue let me know, I will remeber next time!

I am having a re-direct in google and yahoo when I seach for somehting, then click on the link. if I type in the addy or link direct it works fine. Other than that the computer seems to be working fine. It redirects to some page like super yellow pages etc...

Gmer log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-21 18:22:51
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250823AS rev.3.03
Running: gmer.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\fflcapog.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6DF3000, 0x1894F8, 0xE8000020]
? C:\DOCUME~1\Dan\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[5292] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5292] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5292] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5292] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5292] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5292] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5292] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5292] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[5292] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \Fat 96510C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 PE file @ sector 488392065

---- EOF - GMER 1.0.15 ----

--------------------------------------------------------------------------

jeffce

2011-10-22, 03:02

Hi lt1bird,

If you still have the ComboFix icon on your Desktop please delete it then follow these instructions...

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

lt1bird

2011-10-22, 05:14

ComboFix 11-10-19.06 - Dan 10/21/2011 22:55:30.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.377 [GMT -4:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\gotomon.log
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-09-22 to 2011-10-22 )))))))))))))))))))))))))))))))
.
.
2011-10-21 01:15 . 2011-10-21 01:15 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes
2011-10-21 01:15 . 2011-10-21 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-21 01:15 . 2011-10-21 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-21 01:15 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-20 11:06 . 2011-10-20 11:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 03:21 . 2011-10-20 03:21 69120 --sha-r- c:\windows\system32\kbdgr0.dll
2011-10-02 21:48 . 2011-10-02 21:49 -------- d-----w- c:\windows\system32\Silabs
2011-10-02 21:48 . 2011-10-02 21:48 -------- d-----w- c:\program files\EasyLog USB
2011-09-28 01:42 . 2004-08-04 03:08 25600 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2011-09-28 01:42 . 2004-08-04 03:08 25600 ----a-w- c:\windows\system32\drivers\usbser.sys
2011-09-28 01:20 . 2011-09-28 01:20 -------- d-----w- c:\program files\DIFX
2011-09-28 01:19 . 2011-09-28 01:19 -------- d-----w- c:\program files\Lascar
2011-09-25 02:41 . 2011-09-25 02:41 -------- d--h--w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-20_23.31.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-22 03:05 . 2011-10-22 03:05 16384 c:\windows\Temp\Perflib_Perfdata_1dc.dat
+ 2011-10-22 03:05 . 2011-10-22 03:05 1536 c:\windows\Temp\LogMesg.dll
- 2011-10-20 23:31 . 2011-10-20 23:31 1536 c:\windows\Temp\LogMesg.dll
+ 2011-10-22 03:06 . 2011-10-22 03:06 708608 c:\windows\ERDNT\AutoBackup\10-21-2011\Users\00000002\UsrClass.dat
+ 2011-10-22 03:06 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\10-21-2011\ERDNT.EXE
+ 2011-10-21 00:35 . 2011-10-21 00:35 708608 c:\windows\ERDNT\10-20-2011\Users\00000002\UsrClass.dat
+ 2011-10-21 00:35 . 2005-10-20 16:02 163328 c:\windows\ERDNT\10-20-2011\ERDNT.EXE
+ 2011-10-22 03:06 . 2011-10-22 03:06 9756672 c:\windows\ERDNT\AutoBackup\10-21-2011\Users\00000001\ntuser.dat
+ 2011-10-21 00:35 . 2011-10-21 00:35 9756672 c:\windows\ERDNT\10-20-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Keyboard"="c:\program files\Hot Keyboard Pro1\HotKeyb.exe" [2006-03-23 612056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 98304]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"vptray"="c:\program files\Norton antivirus\vptray.exe" [2001-12-05 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\documents and settings\Dan\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"cdloader"="c:\documents and settings\Dan\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Ulead Update"=rundll32 "c:\documents and settings\Dan\Local Settings\Application Data\ApplicationHistory\ApplicationHistoryUpdate\ApplicationHistoryupdt32.dll",DllRegisterServer
"AppleManagerUpdate"=rundll32.exe "c:\documents and settings\All Users\Application Data\AppleManagerUpdate.dll",DllRegisterServer
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"RTHDCPL"=RTHDCPL.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"USSShReg"=c:\progra~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe /r
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"High Definition Audio Property Page Shortcut"=HDAShCut.exe
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"vptray"=c:\program files\Norton antivirus\vptray.exe
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"SoundMan"=SOUNDMAN.EXE
"iTunesHelper"=c:\program files\iTunes\iTunesHelper.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"AlcWzrd"=ALCWZRD.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Dan\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
.
R1 CXAVSAUD;AOpen VA2000 Audio Capture;c:\windows\system32\drivers\cxavsaud.sys [8/17/2005 7:53 PM 9856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/20/2011 9:15 PM 366152]
R2 MEls;MEls;c:\program files\CoCreate\MEls\MEls32.exe [3/1/2006 3:26 PM 6410240]
R2 MSASPGHost;MSAS Plugin Host Service;c:\program files\OEM\MSASPGH\MSASPGHost.exe [9/9/2004 6:43 PM 49152]
R2 SDserver2006;SDserver2006;c:\program files\CoCreate\OSDM_Server_2006\SDserver.exe [10/18/2006 7:21 PM 102400]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/20/2011 9:15 PM 22216]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/26/2005 6:00 PM 14336]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [1/6/2010 4:00 PM 14592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dynotunenitrous.com/store/Scripts/default.asp
IE: Assign &hot key - c:\program files\Hot Keyboard Pro1\IEScript.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
------- File Associations -------
.
.scr=AutoCADLTScript
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{113ED6EE-EE5F-432C-B0C5-2B643B7B54Ce} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-21 23:06
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(6616)
c:\windows\system32\WININET.dll
c:\program files\Hot Keyboard Pro1\hkhook21.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Norton antivirus\defwatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Norton antivirus\rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\MsgSys.EXE
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-10-21 23:09:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-22 03:09
ComboFix2.txt 2011-10-20 23:37
ComboFix3.txt 2009-02-02 23:29
.
Pre-Run: 193,134,735,360 bytes free
Post-Run: 193,105,866,752 bytes free
.
- - End Of File - - F43A81060C9A30A575438A66CC2EB1D3

jeffce

2011-10-22, 15:08

Hi lt1bird,

I see that you have Malwarebytes on your system already. Please open that program, update it and then run a Quick Scan. Save the log created to your Desktop so you can post it into your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.

Do not use this instance of your browser for anything besides doing this scan
When the scan is complete and the results saved, close that instance of your browser
Open a new one the usual way and post the results in this topic.

Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish

http://www.eset.com/onlinescan/
----------

In your next reply please post the logs created by Malwarebytes and ESET online scanner.

lt1bird

2011-10-22, 17:50

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7999

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

10/22/2011 10:45:38 AM
mbam-log-2011-10-22 (10-45-38).txt

Scan type: Quick scan
Objects scanned: 180762
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------------------------------------

ESET SCAN

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\AppleManagerUpdate.dll.vir Win32/TrojanDownloader.Tracur.I trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Local Settings\Application Data\ServiceWOW64.dll.vir a variant of Win32/Kryptik.UHI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Local Settings\Application Data\ApplicationHistory\ApplicationHistoryUpdate\ApplicationHistoryupdt32.dll.vir a variant of Win32/Kryptik.UHI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mdhcp32.dll.vir probably a variant of Win32/Lukicsel.T trojan

jeffce

2011-10-22, 20:00

Hi lt1bird,

You have an older version of Adobe Reader. You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 9 first. Be sure to move any PDF documents to another folder first though.
----------

Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own
folder
Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.
----------

I notice that you are running Windows XP service pack 2. The most recent version is service pack 3. You should press Start > All Programs > Windows Update to download all necessary updates.

Let me know if you have any problems with any of these steps.
How is your system running now?

lt1bird

2011-10-22, 22:34

Seems to not be redirecting any more....
when I try and update to servicepak 3 it does not work
"Windows XP Service Pack 3 (KB936929)" failed
Ive tried to update before but for some reason it fails during updates. Wonder if I should update to the newer windows?

jeffce

2011-10-23, 00:36

Hi lt1bird,

Seems to not be redirecting any more....:bigthumb:

Download Windows XP Service Pack 3 from here (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24). Once you get that downloaded go ahead and install it. Let me know how that works for you.

lt1bird

2011-10-23, 18:59

Jeff, the upgrade worked perfect..im up to date here...all is working perfect. Thank you for the great service...Im sending a donation now. :bigthumb:
Cheers
Dan

jeffce

2011-10-23, 20:02

all is working perfect. Thank you for the great service...Glad that your system is running well.

Im sending a donation now. Thank you so much! It is very much appreciated.

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :) SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :)

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)

http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg
----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
Open Internet Explorer
Click on Tools > Internet Options
Press Security tab
Select Internet zone then place check next to Enable Protected Mode if not already done
Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

7. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

8.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

jeffce

2011-10-26, 03:50

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.