Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirect help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Redirect help

Unread postby JasonP » June 1st, 2009, 6:12 pm

When i try and click on a link on any website i am redirected to any number of websites. This all started about 2 days ago. I haven't downloaded anything new to the computer and am not sure where i could have gotten it from. Some other problems that i have problems with that started the same time as the redirects did, but I'm unsure if they are related, is that when ever i try and open my yahoo email account on either firefox or IE, i am given an error message and it closes the internet. Also, before posting here i tried to do a system restore but all the restore points except one was deleted and the one that was avilable was not working. Again i dont know if the other 2 problems are related to the internet redirecting or not but I would like some help if at all possible.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:30 PM, on 6/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {7C39E7DD-2264-05E2-4566-29C7ED05B3B1} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dlnxwtr.exe
O2 - BHO: C:\WINDOWS\system32\had73sfdfd.dll - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\had73sfdfd.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vbPT9] C:\WINDOWS\ijxkxfo.exe
O4 - HKLM\..\Run: [alof] C:\WINDOWS\alof.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\ijxkxfo.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Zftoob.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [seli] C:\WINDOWS\seli.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [inmmeo] C:\DOCUME~1\JASONP~1\LOCALS~1\Temp\app10.tmp
O4 - HKLM\..\Run: [4030] C:\WINDOWS\seli.exe
O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe
O4 - HKLM\..\Run: [bxthlm] C:\WINDOWS\system32\bgpplo.exe reg_run
O4 - HKLM\..\Run: [MSN Services] C:\RECYCLER\msnservice.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [bovsRRa7T] senpdmoe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [ukuk] C:\PROGRA~1\COMMON~1\ukuk\ukukm.exe
O4 - HKCU\..\Run: [wubin] C:\WINDOWS\system32\bgpplo.exe reg_run
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Jqxwmdf] C:\PROGRA~1\FNTS~1\CRSS~1.EXE
O4 - HKCU\..\Run: [mf3mpa] C:\WINDOWS\system32\mf3mpa.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\JASONP~1\LOCALS~1\Temp\990403832.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Policies\Explorer\Run: [mf3mpa] C:\WINDOWS\system32\mf3mpa.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\puiq1q8is.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\474396818.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nzdflkioezncfiunfindiuchiuenfcdc] C:\WINDOWS\TEMP\puiq1q8is.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\puiq1q8is.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: tnbqs.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Monarch - {46A810B1-EF3C-47D5-B8DD-571BB09F0987} - http://www.monarchcomputer.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.monarchcomputer.com/search/main.php
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Up ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/p ... 02_sp2.cab
O16 - DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - http://www.icannnews.com/app/ST/ax.ocx
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-L ... uncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0012.exe
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b55762.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b55579.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.arcadetown.com/swf/feedingfr ... uncher.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} - http://www.clickteam.com/vitalize4/vitalize.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINDOWS\system32\nodeipproc.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: inicfg32.dll
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\had73sfdfd.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 14800 bytes
JasonP
Active Member
 
Posts: 9
Joined: June 1st, 2009, 5:57 pm
Advertisement
Register to Remove

Re: Redirect help

Unread postby MWR 3 day Mod » June 5th, 2009, 12:21 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Redirect help

Unread postby jmw3 » June 7th, 2009, 3:12 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download gmer.zip from Gmer here & save it to your desktop.
  • Right click on gmer.zip, select Extract All... & extract the contents to your desktop
  • Double click the Gmer.exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirect help

Unread postby JasonP » June 7th, 2009, 8:29 pm

Here is the contents of the programs you wanted me to run.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-07 18:26:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF36F79AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF36F7958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF36F796C]
Code 85CA6230 ZwEnumerateKey
Code 85CB1608 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF36F79EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF36F7930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF36F7944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF36F79BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF36F7996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF36F7982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF36F7A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF36F7A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF36F79D4]
Code 85CB480E IofCallDriver
Code 85BBFAC6 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service system32\drivers\kungsfxsdydtsp.sys (*** hidden *** ) [SYSTEM] kungsfqefwqvfn <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\SKYNETrprxvvhd.sys (*** hidden *** ) [SYSTEM] SKYNETenwmbjos <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn@imagepath \systemroot\system32\drivers\kungsfxsdydtsp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\main\injector@* kungsfwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\modules@kungsfrk.sys \systemroot\system32\drivers\kungsfxsdydtsp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\modules@kungsfcmd.dll \systemroot\system32\kungsfqlhdvpjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\modules@kungsflog.dat \systemroot\system32\kungsfyfmesjnh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\modules@kungsfwsp.dll \systemroot\system32\kungsfypstndny.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfqefwqvfn\modules@kungsf.dat \systemroot\system32\kungsfpiocbrdg.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos@imagepath \systemroot\system32\drivers\SKYNETrprxvvhd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETrprxvvhd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETenwmbjos\modules@SKYNETcmd.dll \systemroot\system32\SKYNETgpgpepyy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn@imagepath \systemroot\system32\drivers\kungsfxsdydtsp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\main
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\main\injector@* kungsfwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\modules
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\modules@kungsfrk.sys \systemroot\system32\drivers\kungsfxsdydtsp.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\modules@kungsfcmd.dll \systemroot\system32\kungsfqlhdvpjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\modules@kungsflog.dat \systemroot\system32\kungsfyfmesjnh.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\modules@kungsfwsp.dll \systemroot\system32\kungsfypstndny.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kungsfqefwqvfn\modules@kungsf.dat \systemroot\system32\kungsfpiocbrdg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos@imagepath \systemroot\system32\drivers\SKYNETrprxvvhd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETrprxvvhd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETenwmbjos\modules@SKYNETcmd.dll \systemroot\system32\SKYNETgpgpepyy.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\SKYNETrprxvvhd.sys 19968 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


DDS (Ver_09-05-14.01) - NTFSx86
Run by Jason Packer at 17:12:57.40 on Sun 06/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.530 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason Packer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mCustomizeSearch = hxxp://ie.search.msn.com
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,dlnxwtr.exe
BHO: c:\windows\system32\had73sfdfd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\had73sfdfd.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {7FD44536-9DF0-4034-939F-5BD4D98E3187} - No File
uRun: [bovsRRa7T] senpdmoe.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DR_S] c:\program files\dr_s\DR_S.exe
uRun: [sfita] c:\windows\sfita.exe
uRun: [ukuk] c:\progra~1\common~1\ukuk\ukukm.exe
uRun: [wubin] c:\windows\system32\bgpplo.exe reg_run
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Jqxwmdf] c:\progra~1\fnts~1\CRSS~1.EXE
uRun: [mf3mpa] c:\windows\system32\mf3mpa.exe
uRun: [irssyncd] c:\windows\system32\irssyncd.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Diagnostic Manager] c:\docume~1\jasonp~1\locals~1\temp\1215120500.exe
uRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [vbPT9] c:\windows\ijxkxfo.exe
mRun: [alof] c:\windows\alof.exe
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [Á³#  L"h'þ9Óœð3rÅWc:\program files\istsvc\istsvc.exe] c:\windows\ijxkxfo.exe
mRun: [version] c:\windows\system32\Zftoob.exe
mRun: [NI.UWFX5LP_0001_0614] "c:\windows\downloaded program files\conflict.2\UWFX5LP_0001_0614NetInstaller.exe"
mRun: [NI.UWFX5LP_0001_0715] "c:\windows\downloaded program files\UWFX5LP_0001_0715NetInstaller.exe"
mRun: [NI.UWFX5LP_0001_0802] "c:\windows\downloaded program files\UWFX5LP_0001_0802NetInstaller.exe"
mRun: [seli] c:\windows\seli.exe
mRun: [Nsv] c:\windows\system32\nsvsvc\nsvsvc.exe
mRun: [NI.UWFX5] "c:\windows\downloaded program files\UWFX5NetInstaller.exe"
mRun: [Dinst] c:\windows\dinst.exe
mRun: [inmmeo] c:\docume~1\jasonp~1\locals~1\temp\app10.tmp
mRun: [4030] c:\windows\seli.exe
mRun: [UniUploader] c:\program files\uniuploader\UniUploader.exe
mRun: [bxthlm] c:\windows\system32\bgpplo.exe reg_run
mRun: [MSN Services] c:\recycler\msnservice.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SaiVolume] c:\program files\saitek\cyborgkeyboard\SaiVolume.exe
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
uExplorerRun: [mf3mpa] c:\windows\system32\mf3mpa.exe
StartupFolder: c:\docume~1\jasonp~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\tnbqs.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... wmavax.CAB
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/ms ... b31267.cab
DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} - hxxp://messenger.zone.msn.com/binary/Up ... b31267.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/Me ... b31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/ms ... b56986.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/Mi ... b31267.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - hxxp://downloads.shopathomeselect.com/p ... 02_sp2.cab
DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - hxxp://www.icannnews.com/app/ST/ax.ocx
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-L ... uncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/Me ... b31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/sh ... rashim.cab
DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - hxxp://www.pacimedia.com/install/pcs_0012.exe
DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} - hxxp://messenger.zone.msn.com/binary/Me ... b55762.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.phoenix.edu/secure/PhxStudent15.CAB
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMe ... loader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZI ... b55579.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/share ... cgdmgr.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/Me ... b56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.arcadetown.com/swf/feedingfr ... uncher.cab
DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} - hxxp://www.clickteam.com/vitalize4/vitalize.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/Mi ... b56986.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/So ... b31267.cab
Handler: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: inicfg32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\had73sfdfd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\had73sfdfd.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jasonp~1\applic~1\mozilla\firefox\profiles\x0ul14p7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - plugin: c:\documents and settings\jason packer\application data\mozilla\firefox\profiles\x0ul14p7.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\clickteam\vitalize\v4\NpCnc32.dll

============= SERVICES / DRIVERS ===============

R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2005-2-16 70528]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64160]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2005-2-16 97920]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [2005-2-16 45568]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2005-2-16 190720]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [2005-2-16 29184]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-1 201320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-30 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-1 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-1 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-1 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-1 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-1 40488]
R3 SaiK0728;SaiK0728;c:\windows\system32\drivers\SaiK0728.sys [2009-4-26 104960]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-1 33832]
S3 XDva143;XDva143;\??\c:\windows\system32\xdva143.sys --> c:\windows\system32\XDva143.sys [?]

=============== Created Last 30 ================

2009-06-05 06:27 40,960 a--sh--- c:\documents and settings\jason packer\protect.dll
2009-06-02 15:43 21,711 a------- c:\windows\system32\AAWService_2009_06_02_15_43_31.dmp
2009-06-02 14:30 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-02 14:26 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-02 14:21 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-01 15:52 <DIR> --d----- c:\program files\Trend Micro
2009-06-01 09:12 40,960 a--sh--- c:\windows\system32\autochk.dll
2009-05-28 05:29 20,992 a------- c:\windows\system32\kungsfypstndny.dll
2009-05-28 05:29 512,143 a------- c:\windows\system32\kungsfyfmesjnh.dat
2009-05-28 05:29 20,992 a------- c:\windows\system32\kungsfqlhdvpjs.dll
2009-05-12 04:12 <DIR> --d----- c:\docume~1\jasonp~1\applic~1\NASA
2009-05-12 04:06 <DIR> --d----- c:\program files\NASA

==================== Find3M ====================

2009-04-26 13:56 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SaiK0728_01005.Wdf
2009-04-26 13:56 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-16 10:34 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-13 01:57 22,276 a---h--- c:\windows\system32\mlfcache.dat
2009-03-03 04:23 20,328 ac------ c:\docume~1\jasonp~1\applic~1\GDIPFONTCACHEV1.DAT
2007-09-21 11:15 6,093 ac------ c:\program files\install.log
2007-03-09 13:57 0 a------- c:\documents and settings\jason packer\UniUploader.exe
2007-01-23 18:01 91,348,699 ac------ c:\program files\si_tribes2_update_21570-24834_25034.exe
2007-01-20 06:43 645,670 ac------ c:\program files\uTorrent-1.6-install.exe
2007-01-17 14:30 415,784 a------- c:\program files\msgr8us.exe
2007-01-14 14:41 5,643,480 ac------ c:\program files\AA28FullInstaller_Generic.exe.part
2006-10-24 07:38 2,599,088 ac------ c:\program files\Shockwave_Installer_Slim.exe
2006-09-21 13:25 96,241 ac--h--- c:\docume~1\jasonp~1\applic~1\ptads.bin
2006-08-06 10:26 1,034,681 ac------ c:\program files\wrar36b8.exe
2006-07-20 17:04 24,265,736 ac------ c:\program files\dotnetfx.exe
2006-07-09 07:15 0 ac------ c:\docume~1\jasonp~1\applic~1\internaldb41.dat
2006-07-01 13:43 2,855,080 ac------ c:\program files\aawsepersonal.exe
2005-08-27 02:35 46 ac------ c:\documents and settings\jason packer\TJ.DAT
2009-06-07 17:13 40,960 a--sh--- c:\windows\system32\autochk.dll

============= FINISH: 17:13:55.46 ===============



DDS (Ver_09-05-14.01) - NTFSx86
Run by Jason Packer at 17:12:57.40 on Sun 06/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.530 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason Packer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mCustomizeSearch = hxxp://ie.search.msn.com
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,dlnxwtr.exe
BHO: c:\windows\system32\had73sfdfd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\had73sfdfd.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {7FD44536-9DF0-4034-939F-5BD4D98E3187} - No File
uRun: [bovsRRa7T] senpdmoe.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DR_S] c:\program files\dr_s\DR_S.exe
uRun: [sfita] c:\windows\sfita.exe
uRun: [ukuk] c:\progra~1\common~1\ukuk\ukukm.exe
uRun: [wubin] c:\windows\system32\bgpplo.exe reg_run
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Jqxwmdf] c:\progra~1\fnts~1\CRSS~1.EXE
uRun: [mf3mpa] c:\windows\system32\mf3mpa.exe
uRun: [irssyncd] c:\windows\system32\irssyncd.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Diagnostic Manager] c:\docume~1\jasonp~1\locals~1\temp\1215120500.exe
uRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [vbPT9] c:\windows\ijxkxfo.exe
mRun: [alof] c:\windows\alof.exe
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [Á³#  L"h'þ9Óœð3rÅWc:\program files\istsvc\istsvc.exe] c:\windows\ijxkxfo.exe
mRun: [version] c:\windows\system32\Zftoob.exe
mRun: [NI.UWFX5LP_0001_0614] "c:\windows\downloaded program files\conflict.2\UWFX5LP_0001_0614NetInstaller.exe"
mRun: [NI.UWFX5LP_0001_0715] "c:\windows\downloaded program files\UWFX5LP_0001_0715NetInstaller.exe"
mRun: [NI.UWFX5LP_0001_0802] "c:\windows\downloaded program files\UWFX5LP_0001_0802NetInstaller.exe"
mRun: [seli] c:\windows\seli.exe
mRun: [Nsv] c:\windows\system32\nsvsvc\nsvsvc.exe
mRun: [NI.UWFX5] "c:\windows\downloaded program files\UWFX5NetInstaller.exe"
mRun: [Dinst] c:\windows\dinst.exe
mRun: [inmmeo] c:\docume~1\jasonp~1\locals~1\temp\app10.tmp
mRun: [4030] c:\windows\seli.exe
mRun: [UniUploader] c:\program files\uniuploader\UniUploader.exe
mRun: [bxthlm] c:\windows\system32\bgpplo.exe reg_run
mRun: [MSN Services] c:\recycler\msnservice.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SaiVolume] c:\program files\saitek\cyborgkeyboard\SaiVolume.exe
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
uExplorerRun: [mf3mpa] c:\windows\system32\mf3mpa.exe
StartupFolder: c:\docume~1\jasonp~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\tnbqs.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... wmavax.CAB
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/ms ... b31267.cab
DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} - hxxp://messenger.zone.msn.com/binary/Up ... b31267.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/Me ... b31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/ms ... b56986.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/Mi ... b31267.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - hxxp://downloads.shopathomeselect.com/p ... 02_sp2.cab
DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - hxxp://www.icannnews.com/app/ST/ax.ocx
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-L ... uncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/Me ... b31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/sh ... rashim.cab
DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - hxxp://www.pacimedia.com/install/pcs_0012.exe
DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} - hxxp://messenger.zone.msn.com/binary/Me ... b55762.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.phoenix.edu/secure/PhxStudent15.CAB
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMe ... loader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZI ... b55579.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/share ... cgdmgr.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/Me ... b56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.arcadetown.com/swf/feedingfr ... uncher.cab
DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} - hxxp://www.clickteam.com/vitalize4/vitalize.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/Mi ... b56986.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/So ... b31267.cab
Handler: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: inicfg32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\had73sfdfd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\had73sfdfd.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jasonp~1\applic~1\mozilla\firefox\profiles\x0ul14p7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - plugin: c:\documents and settings\jason packer\application data\mozilla\firefox\profiles\x0ul14p7.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\clickteam\vitalize\v4\NpCnc32.dll

============= SERVICES / DRIVERS ===============

R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2005-2-16 70528]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64160]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2005-2-16 97920]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [2005-2-16 45568]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2005-2-16 190720]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [2005-2-16 29184]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-1 201320]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-30 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-1 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-1 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-1 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-1 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-1 40488]
R3 SaiK0728;SaiK0728;c:\windows\system32\drivers\SaiK0728.sys [2009-4-26 104960]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-1 33832]
S3 XDva143;XDva143;\??\c:\windows\system32\xdva143.sys --> c:\windows\system32\XDva143.sys [?]

=============== Created Last 30 ================

2009-06-05 06:27 40,960 a--sh--- c:\documents and settings\jason packer\protect.dll
2009-06-02 15:43 21,711 a------- c:\windows\system32\AAWService_2009_06_02_15_43_31.dmp
2009-06-02 14:30 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-02 14:26 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-02 14:21 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-01 15:52 <DIR> --d----- c:\program files\Trend Micro
2009-06-01 09:12 40,960 a--sh--- c:\windows\system32\autochk.dll
2009-05-28 05:29 20,992 a------- c:\windows\system32\kungsfypstndny.dll
2009-05-28 05:29 512,143 a------- c:\windows\system32\kungsfyfmesjnh.dat
2009-05-28 05:29 20,992 a------- c:\windows\system32\kungsfqlhdvpjs.dll
2009-05-12 04:12 <DIR> --d----- c:\docume~1\jasonp~1\applic~1\NASA
2009-05-12 04:06 <DIR> --d----- c:\program files\NASA

==================== Find3M ====================

2009-04-26 13:56 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SaiK0728_01005.Wdf
2009-04-26 13:56 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-16 10:34 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-13 01:57 22,276 a---h--- c:\windows\system32\mlfcache.dat
2009-03-03 04:23 20,328 ac------ c:\docume~1\jasonp~1\applic~1\GDIPFONTCACHEV1.DAT
2007-09-21 11:15 6,093 ac------ c:\program files\install.log
2007-03-09 13:57 0 a------- c:\documents and settings\jason packer\UniUploader.exe
2007-01-23 18:01 91,348,699 ac------ c:\program files\si_tribes2_update_21570-24834_25034.exe
2007-01-20 06:43 645,670 ac------ c:\program files\uTorrent-1.6-install.exe
2007-01-17 14:30 415,784 a------- c:\program files\msgr8us.exe
2007-01-14 14:41 5,643,480 ac------ c:\program files\AA28FullInstaller_Generic.exe.part
2006-10-24 07:38 2,599,088 ac------ c:\program files\Shockwave_Installer_Slim.exe
2006-09-21 13:25 96,241 ac--h--- c:\docume~1\jasonp~1\applic~1\ptads.bin
2006-08-06 10:26 1,034,681 ac------ c:\program files\wrar36b8.exe
2006-07-20 17:04 24,265,736 ac------ c:\program files\dotnetfx.exe
2006-07-09 07:15 0 ac------ c:\docume~1\jasonp~1\applic~1\internaldb41.dat
2006-07-01 13:43 2,855,080 ac------ c:\program files\aawsepersonal.exe
2005-08-27 02:35 46 ac------ c:\documents and settings\jason packer\TJ.DAT
2009-06-07 17:13 40,960 a--sh--- c:\windows\system32\autochk.dll

============= FINISH: 17:13:55.46 ===============
JasonP
Active Member
 
Posts: 9
Joined: June 1st, 2009, 5:57 pm

Re: Redirect help

Unread postby jmw3 » June 7th, 2009, 11:19 pm

Hello JasonP
You posted the DDS log twice. I need to see the Attach.txt log as well. Could you post the contents of that please. If you did not save the logs then you will need to run DDS.scr again in order to get the log.
Thanks
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirect help

Unread postby JasonP » June 8th, 2009, 1:22 am

Sorry about that, here is the attach.txt log.



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/1/2005 9:27:04 PM
System Uptime: 6/6/2009 5:34:40 PM (24 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4P800-E
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3192/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 33.396 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 87.326 GiB free.
E: is CDROM (CDFS)
Z: is NetworkDisk (NTFS) - 75 GiB total, 36.817 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1417: 5/28/2009 5:29:08 AM - System Checkpoint
RP1418: 5/28/2009 5:29:08 AM - System Checkpoint
RP1419: 5/28/2009 5:29:08 AM - System Checkpoint
RP1420: 5/28/2009 5:29:09 AM - System Checkpoint
RP1421: 5/28/2009 5:29:09 AM - System Checkpoint
RP1422: 5/28/2009 5:29:09 AM - System Checkpoint
RP1423: 5/28/2009 5:29:09 AM - System Checkpoint
RP1424: 5/28/2009 5:29:10 AM - System Checkpoint
RP1425: 5/28/2009 5:29:10 AM - System Checkpoint
RP1426: 5/28/2009 5:29:10 AM - Shockwave Player
RP1427: 5/28/2009 5:29:10 AM - System Checkpoint
RP1428: 5/28/2009 5:29:11 AM - System Checkpoint
RP1429: 5/28/2009 5:29:11 AM - Software Distribution Service 3.0
RP1430: 5/28/2009 5:29:11 AM - System Checkpoint
RP1431: 5/28/2009 5:29:11 AM - System Checkpoint
RP1432: 5/28/2009 5:29:11 AM - System Checkpoint
RP1433: 5/28/2009 5:29:12 AM - Software Distribution Service 3.0
RP1434: 5/28/2009 5:29:12 AM - Software Distribution Service 3.0
RP1435: 5/28/2009 5:29:12 AM - System Checkpoint
RP1436: 5/28/2009 5:29:13 AM - System Checkpoint
RP1437: 5/28/2009 5:29:13 AM - System Checkpoint
RP1438: 5/28/2009 5:29:13 AM - System Checkpoint
RP1439: 5/28/2009 5:29:14 AM - System Checkpoint
RP1440: 5/28/2009 5:29:14 AM - System Checkpoint
RP1441: 5/28/2009 5:29:15 AM - System Checkpoint
RP1442: 5/28/2009 5:29:16 AM - System Checkpoint
RP1443: 5/28/2009 5:29:17 AM - System Checkpoint
RP1444: 5/28/2009 5:29:17 AM - System Checkpoint
RP1445: 5/28/2009 5:29:17 AM - System Checkpoint
RP1446: 5/28/2009 5:29:17 AM - System Checkpoint
RP1447: 5/28/2009 5:29:18 AM - System Checkpoint
RP1448: 5/28/2009 5:29:18 AM - System Checkpoint
RP1449: 5/28/2009 5:29:18 AM - System Checkpoint
RP1450: 5/28/2009 5:29:18 AM - System Checkpoint
RP1451: 5/28/2009 5:29:19 AM - System Checkpoint
RP1452: 5/28/2009 5:29:19 AM - System Checkpoint
RP1453: 5/28/2009 5:29:19 AM - System Checkpoint
RP1454: 5/28/2009 5:29:19 AM - System Checkpoint
RP1455: 5/28/2009 5:29:19 AM - System Checkpoint
RP1456: 5/28/2009 5:29:20 AM - System Checkpoint
RP1457: 5/28/2009 5:29:20 AM - System Checkpoint
RP1458: 5/28/2009 5:29:20 AM - System Checkpoint
RP1459: 5/28/2009 5:29:20 AM - System Checkpoint
RP1460: 5/28/2009 5:29:21 AM - System Checkpoint
RP1461: 5/28/2009 5:29:21 AM - System Checkpoint
RP1462: 5/28/2009 5:29:21 AM - System Checkpoint
RP1463: 5/28/2009 5:29:21 AM - System Checkpoint
RP1464: 5/28/2009 5:29:22 AM - System Checkpoint
RP1465: 5/28/2009 5:29:22 AM - Software Distribution Service 3.0
RP1466: 5/28/2009 5:29:22 AM - Software Distribution Service 3.0
RP1467: 5/28/2009 5:29:23 AM - Installed Java(TM) 6 Update 13
RP1468: 5/28/2009 5:29:24 AM - System Checkpoint
RP1469: 5/28/2009 5:29:25 AM - System Checkpoint
RP1470: 5/28/2009 5:29:26 AM - System Checkpoint
RP1471: 5/28/2009 5:29:26 AM - System Checkpoint
RP1472: 5/28/2009 5:29:26 AM - System Checkpoint
RP1473: 5/28/2009 5:29:26 AM - System Checkpoint
RP1474: 5/28/2009 5:29:27 AM - System Checkpoint
RP1475: 5/28/2009 5:29:27 AM - System Checkpoint
RP1476: 5/28/2009 5:29:27 AM - System Checkpoint
RP1477: 5/28/2009 5:29:28 AM - Installed Windows XP Wdf01005.
RP1478: 5/28/2009 5:29:28 AM - Unsigned driver install
RP1479: 5/28/2009 5:29:28 AM - Unsigned driver install
RP1480: 5/28/2009 5:29:28 AM - System Checkpoint
RP1481: 5/28/2009 5:29:28 AM - System Checkpoint
RP1482: 5/28/2009 5:29:29 AM - Software Distribution Service 3.0
RP1483: 5/28/2009 5:29:29 AM - System Checkpoint
RP1484: 5/28/2009 5:29:29 AM - System Checkpoint
RP1485: 5/28/2009 5:29:29 AM - System Checkpoint
RP1486: 5/28/2009 5:29:30 AM - System Checkpoint
RP1487: 5/28/2009 5:29:30 AM - System Checkpoint
RP1488: 5/28/2009 5:29:30 AM - System Checkpoint
RP1489: 5/28/2009 5:29:30 AM - System Checkpoint
RP1490: 5/28/2009 5:29:31 AM - System Checkpoint
RP1491: 5/28/2009 5:29:31 AM - System Checkpoint
RP1492: 5/28/2009 5:29:31 AM - System Checkpoint
RP1493: 5/28/2009 5:29:31 AM - System Checkpoint
RP1494: 5/28/2009 5:29:31 AM - System Checkpoint
RP1495: 5/28/2009 5:29:32 AM - System Checkpoint
RP1496: 5/28/2009 5:29:32 AM - Software Distribution Service 3.0
RP1497: 5/28/2009 5:29:32 AM - Software Distribution Service 3.0
RP1498: 5/28/2009 5:29:32 AM - System Checkpoint
RP1499: 5/28/2009 5:29:32 AM - System Checkpoint
RP1500: 5/28/2009 5:29:33 AM - System Checkpoint
RP1501: 5/28/2009 5:29:33 AM - System Checkpoint
RP1502: 5/28/2009 5:29:34 AM - System Checkpoint
RP1503: 5/28/2009 5:29:35 AM - System Checkpoint
RP1504: 5/28/2009 5:29:36 AM - System Checkpoint
RP1505: 5/28/2009 5:29:36 AM - System Checkpoint
RP1506: 5/28/2009 5:29:36 AM - System Checkpoint
RP1507: 5/28/2009 5:29:36 AM - System Checkpoint
RP1508: 5/28/2009 5:29:37 AM - System Checkpoint
RP1509: 5/28/2009 5:29:37 AM - System Checkpoint
RP1510: 5/28/2009 5:29:37 AM - System Checkpoint
RP1511: 5/28/2009 10:32:13 AM - System Checkpoint
RP1512: 6/2/2009 2:36:28 PM - Software Distribution Service 3.0
RP1513: 6/2/2009 3:42:46 PM - test
RP1514: 6/2/2009 3:45:21 PM - Restore Operation

==== Installed Programs ======================

µTorrent
7-Zip 4.58 beta
Ad-Aware
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Adobe Shockwave Player 11
Age of Empires III
America's Army
Apple Mobile Device Support
Apple Software Update
Battlefield 1942
Battlefield 2(TM) Demo
Battlefield Heroes
Bonjour
Choice Guard
Circuit Construction Kit (DC and AC)
Creative Modem Blaster PCI Value DI5652-1
Critical Update for Windows Media Player 11 (KB959772)
Diablo II
Disney's Toontown Online
EAX4 Unified Redist
efield
Electric Hockey
Empire Earth II Demo
Far Cry
Far Cry (Patch 1.3)
Far Cry (Patch 1.31)
Far Cry (Patch 1.32)
Forgotten Hope 0.67
GameSpot Download Manager
GhostMouse 2.0
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Icons
InCD
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
LEGO Star Wars Demo Disc
LimeWire 4.8.1
Logitech Gaming Software
Managed DirectX (0901)
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MobileMe Control Panel
Mozilla Firefox (3.0.10)
MSN
MSN Music Assistant
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Mythic Blades Demo
NASA World Wind 1.4
Nero OEM
NVIDIA Drivers
On the Rain-Slick Precipice of Darkness, Episode One
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Outspark Launcher
Portal
PowerDVD
Project64 1.6
QuickTime
Rakion International
RealPlayer
Rhapsody Player Engine
Rome - Total War(TM) Demo
Safari
Saitek Cyborg Keyboard Volume 6.2.1.3
Saitek SD6 Programming Software 6.2.1.3
Salts & Solubility
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SeeMePlayMe Client
Segoe UI
Skype™ 4.0
SonicStage 3.0
Spybot - Search & Destroy 1.4
Star Wars Republic Commando Demo
Starship Troopers Demo
Steam
TBS WMP Plug-in
Team Fortress 2
TeamSpeak 2 RC2
TmSunriseDemoMag 1.4.5
Unity Web Player
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Ventrilo Client
ViewSonic Monitor Drivers
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Warcraft III: All Products
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
World of Warcraft Public Test
Worms2
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

6/3/2009 12:23:51 AM, error: System Error [1003] - Error code 100000d1, parameter1 e1e36000, parameter2 00000002, parameter3 00000000, parameter4 f37e0e85.
6/2/2009 3:04:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Office XP Service Pack 3.
6/1/2009 4:17:23 PM, error: System Error [1003] - Error code 100000d1, parameter1 e1def000, parameter2 00000002, parameter3 00000000, parameter4 f38cfe85.
6/1/2009 3:24:29 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 3:23:08 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
6/1/2009 3:21:54 PM, error: Service Control Manager [7000] - The npkcrypt service failed to start due to the following error: The system cannot find the path specified.
6/1/2009 3:21:54 PM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The system cannot find the path specified.
6/1/2009 3:00:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/1/2009 2:57:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/1/2009 2:57:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/1/2009 2:54:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
6/1/2009 2:53:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss SbcpHid Tcpip WS2IFSL
6/1/2009 2:53:06 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 2:53:06 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 2:53:06 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 2:53:06 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 2:53:06 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2009 2:53:06 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================
JasonP
Active Member
 
Posts: 9
Joined: June 1st, 2009, 5:57 pm

Re: Redirect help

Unread postby jmw3 » June 8th, 2009, 9:15 am

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent | LimeWire 4.8.1

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Could you also run Gmer again for me following instructions previously posted.

To post in next reply:
Combofix log
Gmer log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirect help

Unread postby JasonP » June 9th, 2009, 7:32 am

I have done the combofix and everything seems to be working now. I can log into my email the home page loads and the movies and everything else works.

Here is the updated gmer scan and the combofix scan results.



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-09 04:45:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF795787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7957BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF2E8B9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF2E8B958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF2E8B96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF2E8B9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF2E8B930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF2E8B944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF2E8B9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF2E8B996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF2E8B982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF2E8BA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF2E8BA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF2E8B9D4]
Code \??\C:\DOCUME~1\JASONP~1\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----




ComboFix 09-06-08.02 - Jason Packer 06/08/2009 18:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.673 [GMT -6:00]
Running from: c:\documents and settings\Jason Packer\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jason Packer\Application Data\ptads.bin
c:\documents and settings\Jason Packer\Favorites\Online Security Test.url
c:\documents and settings\Jason Packer\Start Menu\Programs\Startup\ChkDisk.lnk
c:\program files\appatc~1
c:\program files\Common Files\fnts~1
c:\program files\Common Files\uninstall information
c:\program files\Common Files\ymante~1
c:\program files\INSTALL.LOG
c:\program files\pedevice
c:\program files\pedevice\communication.xml
c:\program files\pedevice\Domain.Watchlist.txt
c:\program files\pedevice\fixit2.exe
c:\program files\pedevice\pae-options.xml
c:\program files\pedevice\pae_url.xml
c:\program files\pedevice\pedevPS.dll
c:\program files\pedevice\search.watchlist.txt
c:\program files\pedevice\statistic.xml
c:\program files\pedevice\tmp\last_popup_content.html
c:\program files\pedevice\tmp\tmp.html
c:\program files\pedevice\watchlist.xml
c:\program files\racle~1
c:\program files\racle~1\RACLE~1\ctxad-497.0000
c:\program files\racle~1\RACLE~1\ctxad-497.0001
c:\program files\racle~1\RACLE~1\ctxad-497.0002
c:\program files\racle~1\RACLE~1\ctxad-497.0003
c:\program files\racle~1\RACLE~1\ctxad-497.0004
c:\program files\racle~1\RACLE~1\ctxad-497.0005
c:\windows\IE4 Error Log.txt
c:\windows\racle~1
c:\windows\system32\bang-006.ico
c:\windows\system32\crosof~1.net
c:\windows\system32\dobe~1
c:\windows\system32\drivers\SKYNETrprxvvhd.sys
c:\windows\system32\icroso~1.net
c:\windows\system32\kungsfqlhdvpjs.dll
c:\windows\system32\kungsfyfmesjnh.dat
c:\windows\system32\kungsfypstndny.dll
c:\windows\system32\psof1.exe
c:\windows\system32\SKYNETgpgpepyy.dll
c:\windows\system32\uninsticn.exe
c:\windows\system32\wintsvtr.exe
c:\windows\wnsxs~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETenwmbjos
-------\Service_kungsfqefwqvfn
-------\Service_SKYNETenwmbjos


((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-02 20:30 . 2009-06-02 20:25 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-02 20:26 . 2009-06-02 20:25 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-02 20:24 . 2009-06-02 20:24 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-02 20:24 . 2009-06-02 20:24 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-02 20:24 . 2009-06-02 20:24 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-02 20:21 . 2009-06-02 20:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-02 20:21 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-02 20:20 . 2009-06-02 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-01 21:52 . 2009-06-01 21:52 -------- d-----w- c:\program files\Trend Micro
2009-05-24 17:11 . 2009-05-24 17:11 390664 ----a-w- c:\documents and settings\Jason Packer\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-12 10:12 . 2009-05-12 10:12 -------- d-----w- c:\documents and settings\Jason Packer\Application Data\NASA
2009-05-12 10:06 . 2009-05-12 10:06 -------- d-----w- c:\program files\NASA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 00:07 . 2005-05-24 14:16 -------- d-----w- c:\program files\LimeWire
2009-06-09 00:06 . 2007-01-20 12:43 -------- d-----w- c:\program files\uTorrent
2009-06-04 05:44 . 2005-12-07 07:51 -------- d-----w- c:\program files\World of Warcraft
2009-06-02 20:20 . 2006-07-01 19:44 -------- d-----w- c:\program files\Lavasoft
2009-06-01 21:19 . 2005-12-01 05:28 -------- d-----w- c:\documents and settings\Jason Packer\Application Data\Skype
2009-06-01 21:18 . 2009-02-18 07:10 -------- d-----w- c:\documents and settings\Jason Packer\Application Data\skypePM
2009-04-26 19:58 . 2009-04-26 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Saitek
2009-04-26 19:58 . 2009-04-26 19:57 -------- d-----w- c:\program files\Saitek
2009-04-26 19:56 . 2009-04-26 19:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SaiK0728_01005.Wdf
2009-04-26 19:56 . 2009-04-26 19:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-16 16:34 . 2009-04-16 16:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-16 16:34 . 2005-03-02 13:48 -------- d-----w- c:\program files\Java
2009-04-16 16:33 . 2009-04-16 16:33 152576 ----a-w- c:\documents and settings\Jason Packer\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 21:31 . 2009-05-04 23:09 1099128 ----a-w- c:\documents and settings\Jason Packer\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-04-15 21:31 . 2009-05-04 23:09 729088 ----a-w- c:\documents and settings\Jason Packer\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-04-13 07:57 . 2009-04-13 07:57 22276 ---ha-w- c:\windows\system32\mlfcache.dat
2009-04-09 16:13 . 2009-04-09 16:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-19 22:32 . 2009-03-19 22:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 22:32 . 2008-01-29 18:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 18:10 . 2005-03-02 04:27 20912 -c--a-w- c:\documents and settings\Jason Packer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-24 00:01 . 2007-01-23 23:57 91348699 -c--a-w- c:\program files\si_tribes2_update_21570-24834_25034.exe
2007-01-20 12:43 . 2007-01-20 12:43 645670 -c--a-w- c:\program files\uTorrent-1.6-install.exe
2007-01-17 20:30 . 2007-01-17 20:31 415784 ----a-w- c:\program files\msgr8us.exe
2007-01-14 20:41 . 2007-01-14 20:21 5643480 -c--a-w- c:\program files\AA28FullInstaller_Generic.exe.part
2006-10-24 13:38 . 2006-08-22 23:41 2599088 -c--a-w- c:\program files\Shockwave_Installer_Slim.exe
2006-08-06 16:26 . 2006-08-06 16:26 1034681 -c--a-w- c:\program files\wrar36b8.exe
2006-07-20 23:04 . 2006-07-20 23:00 24265736 -c--a-w- c:\program files\dotnetfx.exe
2006-07-01 19:43 . 2006-07-01 19:43 2855080 -c--a-w- c:\program files\aawsepersonal.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"wubin"="c:\windows\system32\bgpplo.exe" [2006-10-20 127488]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-16 148888]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
"bxthlm"="c:\windows\system32\bgpplo.exe" [2006-10-20 127488]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SaiVolume"="c:\program files\Saitek\CyborgKeyboard\SaiVolume.exe" [2008-01-18 126976]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2008-01-18 233472]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2008-01-18 131072]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-02 518488]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2004-04-09 110592]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2003-12-18 106496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-08-30 69632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
tnbqs.exe [2006-10-20 127488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"=
"c:\\Program Files\\America's Army\\System\\Server.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\Valve\\Steam.exe"=
"c:\\Program Files\\Valve\\steamapps\\rhionos\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Valve\\steamapps\\jpacker\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2/16/2005 1:12 PM 70528]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 2:26 PM 64160]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2/16/2005 1:12 PM 97920]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [2/16/2005 1:13 PM 45568]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2/16/2005 1:12 PM 190720]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [2/16/2005 1:12 PM 29184]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1005904]
R3 SaiK0728;SaiK0728;c:\windows\system32\drivers\SaiK0728.sys [4/26/2009 1:55 PM 104960]
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys --> c:\windows\system32\XDva143.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:25]

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-02 19:32]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-02 19:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - c:\windows\system32\had73sfdfd.dll
HKCU-Run-DR_S - c:\program files\DR_S\DR_S.exe
HKCU-Run-sfita - c:\windows\sfita.exe
HKCU-Run-ukuk - c:\progra~1\COMMON~1\ukuk\ukukm.exe
HKCU-Run-Jqxwmdf - c:\progra~1\FNTS~1\CRSS~1.EXE
HKCU-Run-mf3mpa - c:\windows\system32\mf3mpa.exe
HKCU-Run-irssyncd - c:\windows\system32\irssyncd.exe
HKCU-Run-bovsRRa7T - senpdmoe.exe
HKLM-Run-vbPT9 - c:\windows\ijxkxfo.exe
HKLM-Run-alof - c:\windows\alof.exe
HKLM-Run-Á³#  Lh'þ9Óœð3rÅWc:\program files\ISTsvc\istsvc.exe - c:\windows\ijxkxfo.exe
HKLM-Run-version - c:\windows\system32\Zftoob.exe
HKLM-Run-NI.UWFX5LP_0001_0614 - c:\windows\Downloaded Program Files\CONFLICT.2\UWFX5LP_0001_0614NetInstaller.exe
HKLM-Run-NI.UWFX5LP_0001_0715 - c:\windows\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe
HKLM-Run-NI.UWFX5LP_0001_0802 - c:\windows\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe
HKLM-Run-seli - c:\windows\seli.exe
HKLM-Run-Nsv - c:\windows\system32\nsvsvc\nsvsvc.exe
HKLM-Run-NI.UWFX5 - c:\windows\Downloaded Program Files\UWFX5NetInstaller.exe
HKLM-Run-Dinst - c:\windows\dinst.exe
HKLM-Run-4030 - c:\windows\seli.exe
HKLM-Run-UniUploader - c:\program files\UniUploader\UniUploader.exe
HKCU-Explorer_Run-mf3mpa - c:\windows\system32\mf3mpa.exe
SharedTaskScheduler-{C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - c:\windows\system32\had73sfdfd.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} -
DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - hxxp://downloads.shopathomeselect.com/p ... 02_sp2.cab
DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - hxxp://www.icannnews.com/app/ST/ax.ocx
DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - hxxp://www.pacimedia.com/install/pcs_0012.exe
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.phoenix.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\documents and settings\Jason Packer\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - plugin: c:\documents and settings\Jason Packer\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 18:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Á³#  L\"h'þ9Óœð3rÅWc:\\Program Files\\ISTsvc\\istsvc.exe"="c:\\WINDOWS\\ijxkxfo.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3800)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\incdsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-06-09 18:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-09 00:40

Pre-Run: 36,047,200,256 bytes free
Post-Run: 36,157,349,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

298 --- E O F --- 2009-06-02 21:04
JasonP
Active Member
 
Posts: 9
Joined: June 1st, 2009, 5:57 pm

Re: Redirect help

Unread postby jmw3 » June 9th, 2009, 11:07 am

Hi
Good to hear the computer is running better, still a bit to do though.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Driver::
XDva143
Folder::
c:\program files\LimeWire
c:\program files\uTorrent
c:\program files\istsvc
File::
c:\program files\uTorrent-1.6-install.exe
c:\windows\system32\bgpplo.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\tnbqs.exe
c:\windows\system32\XDva143.sys
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bxthlm"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"=-
DDS::
uLocal Page = \blank.htm
mSearch Bar =
IE: &Search - ?p=ZJfox000
Handler: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} -
DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - hxxp://downloads.shopathomeselect.com/p ... 02_sp2.cab
DPF: {64696FB5-BA15-4920-B789-F35D3FC0A36A} - hxxp://www.icannnews.com/app/ST/ax.ocx
DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - hxxp://www.pacimedia.com/install/pcs_0012.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 14. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
Combofix log
Kaspersky Scan log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirect help

Unread postby JasonP » June 9th, 2009, 9:23 pm

Im having trouble with the combofix part of your last post. I copied and pasted the part into notepad and saved it like you said but when i dragged the document onto combofix i got an error message and it got rid of combofix, and i cant find it anywhere on my computer. I have tried to download it again from the links but it also gives me an error message saying the source file cannot be read.
JasonP
Active Member
 
Posts: 9
Joined: June 1st, 2009, 5:57 pm

Re: Redirect help

Unread postby jmw3 » June 9th, 2009, 10:37 pm

Hi
See if this helps:

Remove Combofix
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u

Download Combofix again from one these locations:
Link 1
Link 2
Link 3

Follow the instructions to create & run the CFScript.txt again. If successful continue on with he Kaspersky Scan.

Post the contents of both logs in your next reply
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirect help

Unread postby JasonP » June 11th, 2009, 2:40 am

OK that worked. Here is the Scan report and the Combofix log also.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 10, 2009 23:18:22
Records in database: 2335428
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan statistics:
Files scanned: 145716
Threat name: 2
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 03:42:32


File name / Threat name / Threats count
C:\Documents and Settings\Jason Packer\Local Settings\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\Cache(4)\3B3FC180d01 Infected: Trojan-Downloader.JS.Agent.czm 1
C:\Documents and Settings\Jason Packer\Local Settings\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\Cache(4)\A4E0E2F8d01 Infected: Trojan-Downloader.JS.Agent.czm 1
C:\Documents and Settings\Jason Packer\Local Settings\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\Cache(4)\A61309DFd01 Infected: Trojan-Downloader.JS.Agent.czm 1
C:\Documents and Settings\Jason Packer\Local Settings\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\Cache(4)\B01771C6d01 Infected: Trojan-Downloader.JS.Agent.czm 1
C:\Documents and Settings\Jason Packer\Local Settings\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\Cache(4)\B9526B8Fd01 Infected: Trojan-Downloader.JS.Agent.czm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_SKYNETrprxvvhd_.sys.zip Infected: Rootkit.Win32.Agent.llr 1
C:\System Volume Information\_restore{0E86766F-C7A7-4CFC-BE75-F6664B77D3C8}\RP1514\A0298209.sys Infected: Rootkit.Win32.Agent.llr 1

The selected area was scanned.





ComboFix 09-06-09.06 - Jason Packer 06/10/2009 15:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.595 [GMT -6:00]
Running from: c:\documents and settings\Jason Packer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason Packer\Desktop\CFScript.txt.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Startup\tnbqs.exe"
"c:\program files\uTorrent-1.6-install.exe"
"c:\windows\system32\bgpplo.exe"
"c:\windows\system32\XDva143.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\tnbqs.exe
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid1284.log
c:\program files\LimeWire\hs_err_pid1852.log
c:\program files\LimeWire\hs_err_pid1856.log
c:\program files\LimeWire\hs_err_pid3136.log
c:\program files\LimeWire\hs_err_pid3140.log
c:\program files\LimeWire\hs_err_pid332.log
c:\program files\LimeWire\hs_err_pid3376.log
c:\program files\LimeWire\hs_err_pid3760.log
c:\program files\LimeWire\hs_err_pid3772.log
c:\program files\LimeWire\hs_err_pid3784.log
c:\program files\LimeWire\hs_err_pid3804.log
c:\program files\LimeWire\hs_err_pid7060.log
c:\program files\LimeWire\hs_err_pid7904.log
c:\program files\LimeWire\hs_err_pid7956.log
c:\program files\LimeWire\hs_err_pid9120.log
c:\program files\uTorrent-1.6-install.exe
c:\program files\uTorrent
c:\program files\uTorrent\Private.torrent
c:\windows\system32\bgpplo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA143
-------\Service_XDva143


((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 00:53 . 2009-06-10 00:53 152576 ----a-w- c:\documents and settings\Jason Packer\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-02 20:30 . 2009-06-02 20:25 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-02 20:26 . 2009-06-02 20:25 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-02 20:24 . 2009-06-02 20:24 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-02 20:24 . 2009-06-02 20:24 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-02 20:24 . 2009-06-02 20:24 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-02 20:21 . 2009-06-02 20:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-02 20:21 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-02 20:20 . 2009-06-02 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-01 21:52 . 2009-06-01 21:52 -------- d-----w- c:\program files\Trend Micro
2009-05-24 17:11 . 2009-05-24 17:11 390664 ----a-w- c:\documents and settings\Jason Packer\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-12 10:12 . 2009-05-12 10:12 -------- d-----w- c:\documents and settings\Jason Packer\Application Data\NASA
2009-05-12 10:06 . 2009-05-12 10:06 -------- d-----w- c:\program files\NASA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 21:49 . 2009-04-16 16:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-10 21:49 . 2005-03-02 13:48 -------- d-----w- c:\program files\Java
2009-06-04 05:44 . 2005-12-07 07:51 -------- d-----w- c:\program files\World of Warcraft
2009-06-02 20:20 . 2006-07-01 19:44 -------- d-----w- c:\program files\Lavasoft
2009-06-01 21:19 . 2005-12-01 05:28 -------- d-----w- c:\documents and settings\Jason Packer\Application Data\Skype
2009-06-01 21:18 . 2009-02-18 07:10 -------- d-----w- c:\documents and settings\Jason Packer\Application Data\skypePM
2009-04-26 19:58 . 2009-04-26 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Saitek
2009-04-26 19:58 . 2009-04-26 19:57 -------- d-----w- c:\program files\Saitek
2009-04-26 19:56 . 2009-04-26 19:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SaiK0728_01005.Wdf
2009-04-26 19:56 . 2009-04-26 19:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-15 21:31 . 2009-05-04 23:09 1099128 ----a-w- c:\documents and settings\Jason Packer\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-04-15 21:31 . 2009-05-04 23:09 729088 ----a-w- c:\documents and settings\Jason Packer\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-04-13 07:57 . 2009-04-13 07:57 22276 ---ha-w- c:\windows\system32\mlfcache.dat
2009-04-09 16:13 . 2009-04-09 16:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-19 22:32 . 2009-03-19 22:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 22:32 . 2008-01-29 18:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 18:10 . 2005-03-02 04:27 20912 -c--a-w- c:\documents and settings\Jason Packer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-24 00:01 . 2007-01-23 23:57 91348699 -c--a-w- c:\program files\si_tribes2_update_21570-24834_25034.exe
2007-01-17 20:30 . 2007-01-17 20:31 415784 ----a-w- c:\program files\msgr8us.exe
2007-01-14 20:41 . 2007-01-14 20:21 5643480 -c--a-w- c:\program files\AA28FullInstaller_Generic.exe.part
2006-10-24 13:38 . 2006-08-22 23:41 2599088 -c--a-w- c:\program files\Shockwave_Installer_Slim.exe
2006-08-06 16:26 . 2006-08-06 16:26 1034681 -c--a-w- c:\program files\wrar36b8.exe
2006-07-20 23:04 . 2006-07-20 23:00 24265736 -c--a-w- c:\program files\dotnetfx.exe
2006-07-01 19:43 . 2006-07-01 19:43 2855080 -c--a-w- c:\program files\aawsepersonal.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-09_00.32.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-10 22:00 . 2009-06-10 22:00 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2005-02-16 18:49 . 2009-06-10 19:46 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-02-16 18:49 . 2009-06-08 23:35 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-02-16 18:49 . 2009-06-10 19:46 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-02-16 18:49 . 2009-06-08 23:35 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-02-16 18:49 . 2009-06-08 23:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-02-16 18:49 . 2009-06-10 19:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-10 21:49 . 2009-06-10 21:49 148888 c:\windows\system32\javaws.exe
- 2009-04-16 16:34 . 2009-04-16 16:34 148888 c:\windows\system32\javaws.exe
+ 2009-06-10 21:49 . 2009-06-10 21:49 144792 c:\windows\system32\javaw.exe
- 2009-04-16 16:34 . 2009-04-16 16:34 144792 c:\windows\system32\javaw.exe
+ 2009-06-10 21:49 . 2009-06-10 21:49 144792 c:\windows\system32\java.exe
- 2009-04-16 16:34 . 2009-04-16 16:34 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SaiVolume"="c:\program files\Saitek\CyborgKeyboard\SaiVolume.exe" [2008-01-18 126976]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2008-01-18 233472]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2008-01-18 131072]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-02 518488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-10 148888]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"PtiuPbmd"="ulutil2.dll" - c:\windows\system32\ulutil2.dll [2004-04-09 110592]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2003-12-18 106496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-08-30 69632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"=
"c:\\Program Files\\America's Army\\System\\Server.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\Valve\\Steam.exe"=
"c:\\Program Files\\Valve\\steamapps\\rhionos\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Valve\\steamapps\\jpacker\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2/16/2005 1:12 PM 70528]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 2:26 PM 64160]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2/16/2005 1:12 PM 97920]
R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [2/16/2005 1:13 PM 45568]
R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2/16/2005 1:12 PM 190720]
R0 viapdsk;VIA ATA/ATAPI Host Controller;c:\windows\system32\drivers\viapdsk.sys [2/16/2005 1:12 PM 29184]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1005904]
R3 SaiK0728;SaiK0728;c:\windows\system32\drivers\SaiK0728.sys [4/26/2009 1:55 PM 104960]
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:25]

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-05-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-02 19:32]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-02 19:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-wubin - c:\windows\system32\bgpplo.exe
HKLM-Run-Á³#  Lh'þ9Óœð3rÅWc:\program files\ISTsvc\istsvc.exe - c:\windows\ijxkxfo.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.phoenix.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\documents and settings\Jason Packer\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - plugin: c:\documents and settings\Jason Packer\Application Data\Mozilla\Firefox\Profiles\x0ul14p7.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 16:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Á³#  L\"h'þ9Óœð3rÅWc:\\Program Files\\ISTsvc\\istsvc.exe"="c:\\WINDOWS\\ijxkxfo.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1736)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\incdsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-06-10 16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-10 22:10
ComboFix2.txt 2009-06-09 00:41

Pre-Run: 35,949,895,680 bytes free
Post-Run: 35,969,261,568 bytes free

252 --- E O F --- 2009-06-02 21:04
JasonP
Active Member
 
Posts: 9
Joined: June 1st, 2009, 5:57 pm

Re: Redirect help

Unread postby jmw3 » June 11th, 2009, 3:24 am

Hi

Clear Firefox's Cache
  • Open Firefox. On the meu bar click on Tools>Options>Advanced
  • Under Offline Storage click Clear Now then OK
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.1
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

Logs look good. How's everything running now?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Redirect help

Unread postby JasonP » June 11th, 2009, 5:23 am

Everything is still working great. I haven't had any problems with any programs opening or any sites redirecting me to the spam sites like it was. And i cleared the cache and updated adobe.
JasonP
Active Member
 
Posts: 9
Joined: June 1st, 2009, 5:57 pm

Re: Redirect help

Unread postby jmw3 » June 11th, 2009, 5:53 am

Good stuff :thumbleft:

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
DDS.scr
Any logs that may have been saved to your desktop

You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis
  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt
You can either keep or delete ATF-Cleaner. It's a handy tool for cleaning out temporary folders.

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here & find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware