Another link redirection problem

[mtngal]

Here are the logs made after the actions you requested:

ComboFix 10-06-21.01 - David 06/21/2010 21:07:06.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.450 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-21 22:47 . 2010-06-21 22:47 -------- d-----w- c:\documents and settings\David\Application Data\Avira
2010-06-21 21:56 . 2010-06-21 21:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-21 21:53 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-21 21:53 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-21 21:53 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-21 21:53 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-21 21:53 . 2010-06-21 21:53 -------- d-----w- c:\program files\Avira
2010-06-21 21:53 . 2010-06-21 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-06-20 18:42 . 2010-06-20 18:44 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Trend Micro
2010-06-20 01:05 . 2010-06-20 01:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-20 01:03 . 2010-06-20 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-19 01:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-19 01:41 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-19 01:41 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-19 01:41 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-19 01:41 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-19 01:39 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-19 01:34 . 2010-06-19 01:34 -------- d-----w- c:\program files\Common Files\Java
2010-06-19 01:34 . 2010-06-19 01:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-10 05:08 . 2010-06-10 05:08 70858 ----a-w- C:\GooredFix.exe
2010-06-10 04:34 . 2010-06-10 04:34 -------- d-----w- c:\documents and settings\David\Application Data\GlarySoft
2010-06-10 04:31 . 2010-06-11 23:06 -------- d-----w- c:\program files\Glary Utilities
2010-06-09 06:02 . 2010-06-09 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-09 06:01 . 2006-06-19 16:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-09 06:01 . 2006-05-25 18:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-09 06:01 . 2005-08-26 04:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-09 06:01 . 2003-02-02 23:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-06-09 06:01 . 2002-03-06 04:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-09 06:01 . 2010-06-09 06:01 -------- d-----w- c:\program files\Trojan Remover
2010-06-09 06:01 . 2010-06-09 06:01 -------- d-----w- c:\documents and settings\David\Application Data\Simply Super Software
2010-06-09 06:01 . 2010-06-09 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-06-09 05:46 . 2010-06-09 05:46 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-09 03:36 . 2010-06-09 03:36 -------- d-----w- C:\$AVG
2010-06-09 02:40 . 2010-06-09 02:40 12464 ----a-w- c:\windows\system32\avgrsstx(2).dll
2010-06-09 02:40 . 2010-06-09 02:40 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2010-06-09 02:36 . 2010-06-09 02:36 -------- d-----w- c:\program files\AVG
2010-06-09 02:36 . 2010-06-09 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 21:42 . 2007-02-01 03:59 -------- d-----w- c:\documents and settings\David\Application Data\MailWasherPro
2010-06-20 18:24 . 2007-01-28 14:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-20 18:08 . 2007-02-02 01:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-20 01:05 . 2010-06-20 01:05 53632 ----a-w- c:\documents and settings\David\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-20 01:03 . 2010-06-20 01:03 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-19 01:34 . 2010-06-19 01:34 503808 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3646ba34-n\msvcp71.dll
2010-06-19 01:34 . 2010-06-19 01:34 499712 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3646ba34-n\jmc.dll
2010-06-19 01:34 . 2010-06-19 01:34 348160 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3646ba34-n\msvcr71.dll
2010-06-19 01:34 . 2010-06-19 01:34 61440 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5612f6fb-n\decora-sse.dll
2010-06-19 01:34 . 2010-06-19 01:34 12800 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5612f6fb-n\decora-d3d.dll
2010-06-19 01:34 . 2007-02-02 03:43 -------- d-----w- c:\program files\Java
2010-06-19 01:33 . 2010-06-19 01:33 79488 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-19 01:33 . 2010-06-19 01:33 152576 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-09 01:37 . 2009-02-21 01:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-22 08:58 . 2010-05-22 08:58 503808 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-234a43c8-n\msvcp71.dll
2010-05-22 08:58 . 2010-05-22 08:58 499712 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-234a43c8-n\jmc.dll
2010-05-22 08:58 . 2010-05-22 08:58 348160 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-234a43c8-n\msvcr71.dll
2010-05-17 04:57 . 2008-04-30 05:00 -------- d-----w- c:\program files\RealFlight
2010-05-14 09:32 . 2007-09-08 00:32 -------- d-----w- c:\program files\Google
2010-05-06 10:41 . 2006-08-23 07:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 02:50 . 2008-04-30 05:00 -------- d-----w- c:\program files\Common Files\KnifeEdge
2010-05-02 05:22 . 2006-08-23 07:21 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-02-21 01:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-02-21 01:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2006-09-23 15:51 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-11 01:07 . 2010-04-11 01:07 1956808 ----a-w- c:\documents and settings\David\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2004-11-12 212992]
"SansaDispatch"="c:\documents and settings\David\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-04-03 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-05 16120832]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 19968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111V2.exe [2008-12-2 1503306]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\¿¥Ä· ºä¾î\\DhtmlMcamViewer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mCam100 Client\\McamClient.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Synergy\\synergys.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=

R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [8/23/2006 6:44 PM 97920]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/21/2010 5:53 PM 135336]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 1:10 PM 17149]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [10/1/2008 5:45 PM 57440]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [5/6/2007 10:27 PM 33792]
R3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [9/30/2008 4:24 AM 453120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 3:14 PM 135664]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [2/27/2008 12:54 PM 360547]
.
Contents of the 'Scheduled Tasks' folder

2010-06-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-06-10 14:01]

2010-06-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-13 09:54]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 19:14]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 19:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {207F90C3-4C31-41E1-A312-574DD81EE57A} - hxxp://www.mcam.co.kr/McamV4/CDEInstallerAX.cab
DPF: {B959F5AD-247B-4F3F-AEE6-8E9D6A2614E3} - hxxp://www.motionwebcam.com/Mcam100v2ClientAX.cab
DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} - hxxp://207.43.170.208/common/NPRemvu.cab
DPF: {FAA26872-BB40-4AB2-8A6D-A49183581AAA} - hxxp://wb11-demo.surveillixdvrsupport.com/user/TSBnwCam.CAB
DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://66.225.4.50/user/TSBnwCam.CAB
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\tw9is5z0.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\David\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(2).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(3).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(4).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(5).dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 21:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\David\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?=&platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_conten

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1152)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(936)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Synergy\synrgyhk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\acs.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\Synergy\synergys.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-06-21 21:26:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 01:26
ComboFix2.txt 2010-06-21 22:31
ComboFix3.txt 2010-06-20 19:16
ComboFix4.txt 2010-06-18 00:06
ComboFix5.txt 2010-06-22 01:05

Pre-Run: 212,791,734,272 bytes free
Post-Run: 212,774,756,352 bytes free

- - End Of File - - 83372682BCBCBE18B004CCE8AEA1706A


------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4223

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/21/2010 9:44:34 PM
mbam-log-2010-06-21 (21-44-34).txt

Scan type: Quick scan
Objects scanned: 131526
Time elapsed: 9 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------

 

[mtngal]

After sending the last logs, the computer was sitting idle for awhile and Avira alerted on a possible virus. I told it to quarantine the file and just wanted to let you know..

 

[km2357]

Both the ComboFix and MalwareBytes' Logs look good. :bigthumb:

Avira quarantined an infected System Restore point. I'll soon show you how to remove those and set a new, clean one.

Finally, I'd like for you to do another Kaspersky scan to see if there is anything leftover we need to take care of. Also, let me know how your computer is doing.

 

[mtngal]

The computer seems to be doing pretty good although I haven't used it very much until I think it is pretty well disinfected.

I noticed Kaspersky showed a few items in the log:

KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 22, 2010 19:32:35
Records in database: 4311818
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 134238
Threats found: 7
Infected objects found: 14
Suspicious objects found: 0
Scan duration: 03:51:02


File name / Threat / Threats count
C:\Documents and Settings\David\Application Data\Thunderbird\Profiles\nbwufarn.default\Mail\Local Folders\Inbox Infected: Trojan-Downloader.Win32.Agent.aggp 2
C:\Qoobox\Quarantine\C\Documents and Settings\David\Local Settings\Application Data\739078.exe.vir Infected: Trojan-Ransom.Win32.DigiPog.sv 1
C:\Qoobox\Quarantine\C\Documents and Settings\David\Local Settings\Application Data\739079.exe.vir Infected: Trojan-Downloader.Win32.Mufanom.uuz 1
C:\Qoobox\Quarantine\C\Documents and Settings\David\Local Settings\Application Data\owmhesl\crjodt.exe.vir Infected: Trojan.Win32.VBKrypt.bmr 1
C:\Qoobox\Quarantine\C\Documents and Settings\David\Local Settings\Application Data\yrwcnyfel\jffvgcjtssd.exe.vir Infected: Trojan-Ransom.Win32.DigiPog.sv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\Qoobox\Quarantine\C\WINDOWS\uitocucl.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.uuy 1
C:\System Volume Information\_restore{58F45BC2-9568-4E0C-A251-A571238322B3}\RP502\A0054147.exe Infected: Packed.Win32.Krap.hc 1
C:\System Volume Information\_restore{58F45BC2-9568-4E0C-A251-A571238322B3}\RP505\A0060249.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{58F45BC2-9568-4E0C-A251-A571238322B3}\RP505\A0060291.exe Infected: Trojan.Win32.VBKrypt.bmr 1
C:\System Volume Information\_restore{58F45BC2-9568-4E0C-A251-A571238322B3}\RP515\A0063379.exe Infected: Trojan-Downloader.Win32.Mufanom.uuz 1
C:\System Volume Information\_restore{58F45BC2-9568-4E0C-A251-A571238322B3}\RP515\A0063380.exe Infected: Trojan-Ransom.Win32.DigiPog.sv 1
C:\System Volume Information\_restore{58F45BC2-9568-4E0C-A251-A571238322B3}\RP515\A0063388.dll Infected: Trojan-Downloader.Win32.Mufanom.uuy 1

Selected area has been scanned.

 

[km2357]

Kaspersky found files in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove ComboFix (and those files) in an upcoming post. Kaspersky also found more infected System Restore points. As I said in my previous post, I'll show you how to remove those and set a new, clean one.

Kaspersky also found some more infected e-mail in Thunderbird. If you haven't already, please open up Thunderbird and delete any e-mails you no longer need that are in the Inbox. Also, delete all e-mails that are in the Junk/Spam/Trash/Bulk folder.

Go ahead and use the computer as you normally would for the next few days and if nothing bad happens by Friday, we can do the final steps and close the thread. Let me know how the computer is doing (either bad or good) by Friday. Of course, if something bad happens before then let me know that as well.

 

[km2357]

mtngal? How is your computer doing?

 

[mtngal]

I was going to let you know today that it seems to be running well. I cleaned the bad file out of the inbox so Kaspersky only shows the ones you said are quarantined and are bad restore points. I can post the report from earlier today if you like. Malwarebytes (updated) shows all is well also..

 

[km2357]

No need to post the new Kasperksy Log.

Glad to hear that the computer is running well. If there are no more problems, then you're good to go.


You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK


Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
• Select the More options tab
• Choose the option to clean up system restore and OK it.
• This will remove all restore points except the new one you just created.

.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it asks you if you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Set correct settings for files that should be hidden in Windows XP

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please checkHide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

• Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
• Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
• Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
  Computer Safety on line Anti Malware
• Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button on the task bar at the bottom of your screen
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then doubleclick it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok..
• Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
• Please read Tony Klein's excellent article: How I got Infected in the First Place
• Please read Understanding Spyware, Browser Hijackers, and Dialers
• Please read Simple and easy ways to keep your computer safe and secure on the Internet
• If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
  Opera.
  If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
• Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
• If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

 

[mtngal]

Thank you for your time and help. Your last post gives me a lot of information to check out. Hopefully I can avoid this in the future.
Again, thank you very much..

 

[km2357]

You're welcome. I'm glad I was able to help you out.

Good luck and safe surfing!

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.