Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser re-direct

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser re-direct

Unread postby jkkyler » July 21st, 2010, 6:07 pm

Hace contracted a broswer re-direct. It had also crippled some of my files with a cyclic redundancy error (I was able to fix redundancy error) but I can not locate my browser re-direct.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:02:04 PM, on 7/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\a-squared Free\a2service.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
D:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Canon\MyPrinter\BJMyPrt.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
D:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
D:\Program Files\OpenOffice.org 3\program\soffice.exe
D:\Program Files\OpenOffice.org 3\program\soffice.bin
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
D:\Program Files\Rhapsody\rhaphlpr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - D:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - D:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] "D:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe"
O4 - HKLM\..\Run: [ANIWZCSService] "D:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CanonSolutionMenu] "D:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" /logon
O4 - HKLM\..\Run: [CanonMyPrinter] "D:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
O4 - HKLM\..\Run: [WinPatrol] "D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKLM\..\Run: [WD Anywhere Backup] "D:\Program Files\WD\WD Anywhere Backup\MemeoLauncher2.exe" --silent
O4 - HKLM\..\Run: [UpdReg] "D:\WINDOWS\Updreg.exe"
O4 - HKLM\..\Run: [CTStartup] "D:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [TaskTray] "D:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe"
O4 - HKCU\..\Run: [Taskbar] "D:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe"
O4 - HKCU\..\Run: [ctfmon.exe] "D:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [WMPNSCFG] "D:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - Startup: OpenOffice.org 3.1.lnk = D:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5988380234
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: McAfee Application Installer Cleanup (0247471256399842) (0247471256399842mcinstcleanup) - Unknown owner - D:\DOCUME~1\JAMES~1.JAM\LOCALS~1\Temp\024747~1.EXE (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - D:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MemeoBackgroundService - Memeo - D:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - D:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - D:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 9503 bytes
jkkyler
Active Member
 
Posts: 9
Joined: June 24th, 2010, 7:04 pm
Advertisement
Register to Remove

Re: Browser re-direct

Unread postby MWR 3 day Mod » July 25th, 2010, 1:19 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Browser re-direct

Unread postby melboy » July 25th, 2010, 5:08 pm

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


================================================


DDS

Please disable any anti-malware program that will block scripts from running before running DDS.

Please download DDS from one of the links below and save it to your desktop:

Link1
Link2
Link3

Disable any script blocker, and then double click dds.scr to run the tool. A command window will appear, this is normal.

Image
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Please copy & paste the contents of :
  • DDS.txt
  • Attach.txt
And post them in your next reply.



Gmer

Download GMER Rootkit Scanner from here.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If GMER crashes or keeps resulting in a BSoDs, uncheck Devices on the right side before scanning -- If you continue to encounter problems, try running GMER in safe mode


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.




In your next reply:
  1. DDS.txt
  2. Attach.txt
  3. GMER log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser re-direct

Unread postby jkkyler » July 26th, 2010, 7:42 am

Here are the requested logs
You do not have the required permissions to view the files attached to this post.
jkkyler
Active Member
 
Posts: 9
Joined: June 24th, 2010, 7:04 pm

Re: Browser re-direct

Unread postby melboy » July 26th, 2010, 12:04 pm

Hi jkkyler

From my welcome speech to you:

7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.

This site is primarily a teaching & training facility for trainees to learn malware removal. The logs need to be posted so that trainees can view the logs for themselves easily and learn the removal techniques from qualified and experienced helpers like myself. Other helpers may also analyze the logs when researching a particular infection, for further information that may help in other cases.

In you need to post the logs in separate posts to due to the size, please do so.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser re-direct

Unread postby jkkyler » July 26th, 2010, 12:52 pm

sorry - I misunderstood / misread ;here are the posted logs as requested
Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT -( REMARK-THOUGHT THIS MEAT IT WAS TO BE ATTACHED)
DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/19/2009 3:16:25 PM
System Uptime: 7/24/2010 1:54:54 PM (31 hours ago)

Motherboard: ASUSTek Computer INC. | | NAOS
Processor: AMD Sempron(tm) Processor 3400+ | Socket AM2 | 1803/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 22.979 GiB free.
D: is FIXED (NTFS) - 104 GiB total, 1.252 GiB free.
E: is CDROM ()
F: is FIXED (FAT32) - 7 GiB total, 0.509 GiB free.
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_2A45103C&REV_A3\3&2411E6FE&0&51
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_2A45103C&REV_A3\3&2411E6FE&0&51
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_2A45103C&REV_A3\3&2411E6FE&0&A0
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_2A45103C&REV_A3\3&2411E6FE&0&A0
Service:

==== System Restore Points ===================

RP319: 7/25/2010 3:55:29 AM - System Checkpoint

==== Installed Programs ======================

a-squared Free 4.5
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
AirPlus Xtreme G
ANIO Service
ANIWZCS Service
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Toolbar
Bonjour
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.0
Canon MP620 series MP Drivers
Canon MP620 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CDDRV_Installer
Cinema Tycoon 2 - Movie Mania (remove only)
Fairy Godmother Tycoon (remove only)
Farm Frenzy 3 (remove only)
FLAC 1.2.1b (remove only)
H&R Block Basic + Efile 2009
H&R Block Ohio 2009
HiJackThis
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Inkjet Printer/Scanner Extended Survey Program
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Jojos Fashion Show World Tour (remove only)
KhalInstallWrapper
Linksys Wireless Manager
Logitech Desktop Messenger
Logitech Registration
Logitech SetPoint
McAfee Security Scan
McAfee Virtual Technician
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mkw Audio Compression Toolkit
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6 Service Pack 2 (KB954459)
Mystery Case Files Return to Ravenhearst (remove only)
NVIDIA Drivers
OpenOffice.org 3.1
Princess Isabella - A Witchs Curse (remove only)
Pure Networks Platform
QuickTime
Realtek AC'97 Audio
RegCure
Rhapsody
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Sound Blaster Audigy
Spy Sweeper Core
Spybot - Search & Destroy
SpywareBlaster 4.3
SUPERAntiSpyware
Total Annihilation: Kingdoms
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.0.5
WD Anywhere Backup
WebFldrs XP
Webroot AntiVirus with Spy Sweeper
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol 2009
WinZip 14.5
Yahoo! Anti-Spy
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

7/25/2010 8:11:01 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
7/25/2010 8:10:55 PM, error: Service Control Manager [7034] - The Inkjet Printer/Scanner Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
7/24/2010 8:49:52 PM, error: WMPNetworkSvc [14365] - Proximity detection failed due to unknown error '0x80004004'. The best proximity time detected was -1 milliseconds.
7/24/2010 6:19:17 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 10.0.0.7 with the system having network hardware address F8:1E:DF:B9:2F:A9. Network operations on this system may be disrupted as a result.
7/24/2010 2:12:26 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
7/24/2010 2:01:21 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
7/24/2010 2:00:58 PM, error: Dhcp [1002] - The IP address lease 10.0.0.5 for the Network Card with network address 000D88E58C7E has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================


here is DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by James at 20:13:56.17 on Sun 07/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.993 [GMT -4:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

D:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Program Files\a-squared Free\a2service.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe -k imgsvc
D:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
D:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Canon\MyPrinter\BJMyPrt.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
D:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
D:\Program Files\OpenOffice.org 3\program\soffice.exe
D:\Program Files\OpenOffice.org 3\program\soffice.bin
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Documents and Settings\James.JAMES-DESKTOP\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - d:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - d:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - d:\progra~1\atttoo~1\ATTTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] "d:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [TaskTray] "d:\program files\creative\sbaudigy\taskbar\CTLTray.exe"
uRun: [Taskbar] "d:\program files\creative\sbaudigy\taskbar\CTLTask.exe"
uRun: [ctfmon.exe] "d:\windows\system32\ctfmon.exe"
uRun: [WMPNSCFG] "d:\program files\windows media player\WMPNSCFG.exe"
mRun: [D-Link AirPlus Xtreme G] "d:\program files\d-link\airplus xtreme g\AirPlusCFG.exe"
mRun: [ANIWZCSService] "d:\program files\alpha networks\aniwzcs service\WZCSLDR.exe"
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] "RUNDLL32.EXE" d:\windows\system32\NvCpl.dll,NvStartup
mRun: [CanonSolutionMenu] "d:\program files\canon\solutionmenu\CNSLMAIN.exe" /logon
mRun: [CanonMyPrinter] "d:\program files\canon\myprinter\BJMyPrt.exe" /logon
mRun: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
mRun: [WinPatrol] "d:\program files\billp studios\winpatrol\winpatrol.exe" -expressboot
mRun: [WD Anywhere Backup] "d:\program files\wd\wd anywhere backup\MemeoLauncher2.exe" --silent
mRun: [UpdReg] "d:\windows\Updreg.exe"
mRun: [CTStartup] "d:\program files\creative\sbaudigy\program\CTEaxSpl.EXE" /run
mRun: [Jet Detection] "d:\program files\creative\sbaudigy\program\ADGJDet.exe"
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "d:\program files\windows defender\MSASCui.exe" -hide
mRun: [SpySweeper] "d:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: d:\docume~1\james~1.jam\startm~1\programs\startup\openof~1.lnk - d:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: d:\docume~1\alluse~1.win\startm~1\programs\startup\logite~2.lnk - d:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 5988380234
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - d:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - d:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - d:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\james~1.jam\applic~1\mozilla\firefox\profiles\o9fabn40.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://www.msn.co ... fforum.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: d:\documents and settings\james.james-desktop\application data\mozilla\firefox\profiles\o9fabn40.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;d:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 mfehidk;McAfee Inc. mfehidk;d:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 a2free;a-squared Free Service;d:\program files\a-squared free\a2service.exe [2010-6-24 1872320]
R2 MemeoBackgroundService;MemeoBackgroundService;d:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2009-4-17 25824]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;d:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WinDefend;Windows Defender;d:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WRConsumerService;Webroot Client Service;d:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-10-29 1201640]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);d:\windows\system32\drivers\A3AB.sys [2003-10-22 344800]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);d:\windows\system32\drivers\e10kx2k.sys [2001-7-13 1745168]
S2 0247471256399842mcinstcleanup;McAfee Application Installer Cleanup (0247471256399842);d:\docume~1\james~1.jam\locals~1\temp\024747~1.exe d:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> d:\docume~1\james~1.jam\locals~1\temp\024747~1.exe d:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mferkdk;McAfee Inc. mferkdk;d:\windows\system32\drivers\mferkdk.sys [2009-10-19 34248]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;d:\windows\system32\drivers\WUSB54GCv3.sys [2009-12-28 627072]

=============== Created Last 30 ================

2010-07-17 19:10:11 0 d-----w- d:\program files\Trend Micro
2010-07-08 22:52:07 0 d-----w- d:\docume~1\alluse~1.win\applic~1\RegCure
2010-06-29 03:54:21 0 d-----w- d:\docume~1\alluse~1.win\applic~1\FarmFrenzy3

==================== Find3M ====================

2010-05-18 20:35:16 91424 ----a-w- d:\windows\system32\dnssd.dll
2010-05-18 20:35:16 75040 ----a-w- d:\windows\system32\jdns_sd.dll
2010-05-18 20:35:16 197920 ----a-w- d:\windows\system32\dnssdX.dll
2010-05-18 20:35:16 107808 ----a-w- d:\windows\system32\dns-sd.exe
2010-05-10 22:40:05 411368 ----a-w- d:\windows\system32\deployJava1.dll
2009-10-25 21:25:46 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102520091026\index.dat

============= FINISH: 20:15:42.30 ===============


GMER:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-26 07:39:00
Windows 5.1.2600 Service Pack 3
Running: qssfoi01.exe; Driver: D:\DOCUME~1\JAMES~1.JAM\LOCALS~1\Temp\awlyqaow.sys


---- System - GMER 1.0.15 ----

SSDT 8A712210 ZwAllocateVirtualMemory
SSDT 8A75CA58 ZwCreateKey
SSDT 8A75B168 ZwCreateProcess
SSDT 8A75D120 ZwCreateProcessEx
SSDT 8A758020 ZwCreateThread
SSDT 8A7011E8 ZwDeleteKey
SSDT 8A67A318 ZwDeleteValueKey
SSDT 8A712288 ZwQueueApcThread
SSDT 8A74EA08 ZwReadVirtualMemory
SSDT 8A6D0180 ZwRenameKey
SSDT 8A695FA8 ZwSetContextThread
SSDT 8A74E070 ZwSetInformationKey
SSDT 8A695A70 ZwSetInformationProcess
SSDT 8A757238 ZwSetInformationThread
SSDT 8A75D398 ZwSetValueKey
SSDT 8A6EECB0 ZwSuspendProcess
SSDT 8A695F30 ZwSuspendThread
SSDT 8A67A098 ZwTerminateProcess
SSDT 8A764748 ZwTerminateThread
SSDT 8A712198 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2468 80501CA0 4 Bytes CALL 5ADA8CB6
.text ntkrnlpa.exe!ZwCallbackReturn + 2654 80501E8C 4 Bytes JMP 8A608A74
.text D:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB66E0360, 0x3D46A5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text D:\Program Files\a-squared Free\a2service.exe[144] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00454E05 D:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text D:\WINDOWS\Explorer.EXE[776] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text D:\WINDOWS\Explorer.EXE[776] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text D:\WINDOWS\Explorer.EXE[776] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text D:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text D:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text D:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text D:\WINDOWS\System32\svchost.exe[1324] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text D:\WINDOWS\System32\svchost.exe[1324] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D8000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[3712] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0132000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[3712] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0133000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[3712] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0131000C
.text D:\Program Files\Mozilla Firefox\plugin-container.exe[3864] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 8A374120
Device \Driver\Tcpip \Device\Ip 8A557CC0
Device \Driver\Tcpip \Device\Ip 8A6D9628
Device \Driver\Tcpip \Device\Ip 89492340
Device \Driver\Tcpip \Device\Ip 895E5630
Device \Driver\Tcpip \Device\Ip 8A2C7608
Device \Driver\Tcpip \Device\Tcp 8A374120
Device \Driver\Tcpip \Device\Tcp 8A557CC0
Device \Driver\Tcpip \Device\Tcp 8A6D9628
Device \Driver\Tcpip \Device\Tcp 89492340
Device \Driver\Tcpip \Device\Tcp 895E5630
Device \Driver\Tcpip \Device\Tcp 8A2C7608
Device \Driver\Tcpip \Device\Udp 8A374120
Device \Driver\Tcpip \Device\Udp 8A557CC0
Device \Driver\Tcpip \Device\Udp 8A6D9628
Device \Driver\Tcpip \Device\Udp 89492340
Device \Driver\Tcpip \Device\Udp 895E5630
Device \Driver\Tcpip \Device\Udp 8A2C7608
Device \Driver\Tcpip \Device\RawIp 8A374120
Device \Driver\Tcpip \Device\RawIp 8A557CC0
Device \Driver\Tcpip \Device\RawIp 8A6D9628
Device \Driver\Tcpip \Device\RawIp 89492340
Device \Driver\Tcpip \Device\RawIp 895E5630
Device \Driver\Tcpip \Device\RawIp 8A2C7608
Device \Driver\Tcpip \Device\IPMULTICAST 8A374120
Device \Driver\Tcpip \Device\IPMULTICAST 8A557CC0
Device \Driver\Tcpip \Device\IPMULTICAST 8A6D9628
Device \Driver\Tcpip \Device\IPMULTICAST 89492340
Device \Driver\Tcpip \Device\IPMULTICAST 895E5630
Device \Driver\Tcpip \Device\IPMULTICAST 8A2C7608

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

---- EOF - GMER 1.0.15 ----
jkkyler
Active Member
 
Posts: 9
Joined: June 24th, 2010, 7:04 pm

Re: Browser re-direct

Unread postby melboy » July 26th, 2010, 2:35 pm

Hi


ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser re-direct

Unread postby jkkyler » July 27th, 2010, 10:43 am

Melboy - I ran combofix as directed, the first time it ran it 'hung' (ran for 4+ hours with no visible effect) and couldn't even be killed with the task manager nor could I turn my machine off with either the start bar or task manager. I rebooted my machine (hard reset) disabled all protection again and ran it again. The second time it completed successfully. I then restarted my machine (to re-enable my anti-malware progs) and two things have happened - 1)My browser redirect appears to be gone - I have tried about 10 or so searches and all seems fine there. 2) whenever I open a browser no matter where I am homepage(s) or trusted verified sites Webroot spysweeper internet shield keeps popping up stating that "access to xoxoxox.com ) has been blocked" (http address varies but is usually porn or search related) which indicates to me that I still have some typr of malware running in the background but is being successfully squashed. Also. after running combofix and rebooting, Winpatrol states "A change is attempting to be made to the following - " and it lists a .dll associated with Iexplorer "do you wish to allow this change?" I selected NO . I am at work and unable to post my combofix log but will do so as soon as I get home later tonight but have a few interim questions for you - Does combofix automatically take remedial action? (I assume so since my re-direct seems fixed) and if so does that mean I should allow .dll modification when winpatrol asks me? Once again I thank you for all of your patience and help so far. It is much appreciated and again I will post full combofix log when I am home.
jkkyler
Active Member
 
Posts: 9
Joined: June 24th, 2010, 7:04 pm

Re: Browser re-direct

Unread postby melboy » July 27th, 2010, 2:45 pm

Hi

Re: WinPatrol. I would need to know the name and path to the .dll to give a judgement. For now, disable WinPatrol and we can re-enable it at a later point. Also temporarily disable Windows Defender as well. Both can interfere with the removal process.


Disable WinPatrol
  • Locate the WinPatrol Image icon in the system tray and right-click it and select Options...
  • In the list near the bottom of the window, uncheck Automatically run WinPatrol when computer starts.
  • Close WinPatrol Window
  • Right-click Image in System Tray and select Exit Program


Disable Windows Defender

From your log i can see this that you are running a Windows Defender. This might interfere with fixes we are about to do so we need to disable it. To disable your Windows Defender Real-time Protection.

  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • Close Windows Defender


It is quite possible that you have other infections. Post the combofix log and we'll take it from there.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser re-direct

Unread postby jkkyler » July 27th, 2010, 10:40 pm

Here is my combofix log file. BTW before I have ran anything you have asked me I have disabled winpatrol,webroot/spysweeper/antivrus services, asquared, and windows defender and winpatrol.

ComboFix 10-07-24.06 - James 07/26/2010 23:54:27.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1499 [GMT -4:00]
Running from: d:\documents and settings\James.JAMES-DESKTOP\My Documents\Downloads\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\jestertb.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-17 19:10 . 2010-07-17 19:10 388096 ----a-r- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-17 19:10 . 2010-07-17 19:10 -------- d-----w- d:\program files\Trend Micro
2010-07-08 23:26 . 2010-07-08 23:26 -------- d-----w- d:\program files\Windows Defender
2010-07-08 22:52 . 2010-07-08 23:14 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Application Data\RegCure
2010-07-08 22:52 . 2010-07-08 23:08 -------- d-----w- d:\program files\RegCure
2010-06-30 03:04 . 2010-06-30 03:04 72504 ----a-w- d:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-29 03:54 . 2010-06-29 04:20 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Application Data\FarmFrenzy3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 11:43 . 2009-10-20 00:25 24 ----a-w- d:\windows\system32\DVCStateBkp-{00000003-00000000-0000000A-00001102-00000004-00511102}.dat
2010-07-26 11:43 . 2009-10-20 00:25 24 ----a-w- d:\windows\system32\DVCState-{00000003-00000000-0000000A-00001102-00000004-00511102}.dat
2010-07-18 15:38 . 2010-03-22 22:48 -------- d-----w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\vlc
2010-07-17 21:39 . 2009-08-15 04:14 -------- d-----w- d:\program files\FLAC
2010-07-16 19:43 . 2009-10-19 19:42 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Application Data\CanonIJPLM
2010-07-13 23:40 . 2010-01-31 02:18 1 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-07 02:53 . 2010-06-24 23:15 -------- d-----w- d:\program files\a-squared Free
2010-06-30 04:51 . 2009-09-30 22:13 -------- d-----w- d:\program files\iTunes
2010-06-30 04:50 . 2009-09-30 22:13 -------- d-----w- d:\program files\iPod
2010-06-30 03:20 . 2009-09-30 22:03 -------- d-----w- d:\program files\QuickTime
2010-06-30 03:10 . 2009-08-12 03:17 -------- d-----w- d:\program files\Bonjour
2010-06-29 03:52 . 2009-10-13 16:42 -------- d-----w- d:\program files\Yahoo! Games
2010-06-29 03:45 . 2010-01-03 20:59 -------- d-----w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Gamelab
2010-06-25 00:24 . 2010-06-21 22:32 63488 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-25 00:24 . 2010-06-21 22:32 117760 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-25 00:18 . 2010-06-24 23:21 -------- d---a-w- d:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-06-25 00:02 . 2010-06-24 23:16 -------- d-----w- d:\program files\SpywareBlaster
2010-06-24 02:30 . 2010-05-08 21:09 -------- d-----w- d:\program files\Google
2010-06-24 01:09 . 2010-06-24 01:09 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
2010-06-21 22:32 . 2010-06-21 22:32 52224 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-21 22:31 . 2010-06-21 22:31 -------- d-----w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\SUPERAntiSpyware.com
2010-06-21 22:31 . 2010-06-21 22:31 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-06-21 22:31 . 2010-06-21 22:31 -------- d-----w- d:\program files\SUPERAntiSpyware
2010-06-12 13:25 . 2009-08-02 17:26 -------- d-----w- d:\program files\Spybot - Search & Destroy
2010-06-07 23:18 . 2010-06-07 23:18 12800 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27d99584-n\decora-d3d.dll
2010-06-07 23:18 . 2010-06-07 23:18 61440 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27d99584-n\decora-sse.dll
2010-06-06 13:05 . 2010-05-29 23:17 -------- d-----w- d:\program files\Safari
2010-06-06 13:04 . 2010-05-30 14:41 -------- d-----w- d:\program files\mplayer
2010-05-29 23:44 . 2010-05-29 23:43 -------- d-----w- d:\documents and settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- d:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 75040 ----a-w- d:\windows\system32\jdns_sd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- d:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- d:\windows\system32\dns-sd.exe
2010-05-10 22:44 . 2010-05-10 22:44 503808 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c256f3-n\msvcp71.dll
2010-05-10 22:44 . 2010-05-10 22:44 499712 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c256f3-n\jmc.dll
2010-05-10 22:44 . 2010-05-10 22:44 348160 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c256f3-n\msvcr71.dll
2010-05-10 22:44 . 2010-05-10 22:44 61440 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7aef9d11-n\decora-sse.dll
2010-05-10 22:44 . 2010-05-10 22:44 12800 ----a-w- d:\documents and settings\James.JAMES-DESKTOP\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7aef9d11-n\decora-d3d.dll
2010-05-10 22:40 . 2010-05-10 22:42 411368 ----a-w- d:\windows\system32\deployJava1.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TaskTray"="d:\program files\Creative\SBAudigy\Taskbar\CTLTray.exe" [2001-06-29 163840]
"Taskbar"="d:\program files\Creative\SBAudigy\Taskbar\CTLTask.exe" [2001-07-26 118784]
"WMPNSCFG"="d:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus Xtreme G"="d:\program files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 2502656]
"ANIWZCSService"="d:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="d:\windows\System32\NvMcTray.dll" [2009-06-10 86016]
"NvCplDaemon"="d:\windows\System32\NvCpl.dll" [2009-06-10 13758464]
"CanonSolutionMenu"="d:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="d:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"WinPatrol"="d:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"WD Anywhere Backup"="d:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2009-04-17 197856]
"UpdReg"="d:\windows\Updreg.exe" [2000-05-11 90112]
"CTStartup"="d:\program files\Creative\SBAudigy\Program\CTEaxSpl.EXE" [2001-06-04 28672]
"Jet Detection"="d:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 28672]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Windows Defender"="d:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SpySweeper"="d:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

d:\documents and settings\James.JAMES-DESKTOP\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - d:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

d:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - d:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-10-19 67128]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;d:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 a2free;a-squared Free Service;d:\program files\a-squared Free\a2service.exe [6/24/2010 7:15 PM 1872320]
R2 MemeoBackgroundService;MemeoBackgroundService;d:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [4/17/2009 1:51 PM 25824]
R2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 WRConsumerService;Webroot Client Service;d:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [10/29/2009 7:49 PM 1201640]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);d:\windows\system32\drivers\e10kx2k.sys [7/13/2001 8:29 AM 1745168]
S2 0247471256399842mcinstcleanup;McAfee Application Installer Cleanup (0247471256399842);d:\docume~1\JAMES~1.JAM\LOCALS~1\Temp\024747~1.EXE d:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> d:\docume~1\JAMES~1.JAM\LOCALS~1\Temp\024747~1.EXE d:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);d:\windows\system32\drivers\A3AB.sys [10/22/2003 3:27 PM 344800]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;d:\windows\system32\drivers\WUSB54GCv3.sys [12/28/2009 8:36 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-27 d:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-07-26 d:\windows\Tasks\RegCure Program Check.job
- d:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-07-25 d:\windows\Tasks\RegCure.job
- d:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-07-25 d:\windows\Tasks\wrSpySweeper_LE8568BBA7F5B492391BEDF15F7EA0DF5.job
- d:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-10-29 20:19]

2010-07-25 d:\windows\Tasks\wrSpySweeper_LE8568BBA7F5B492391BEDF15F7EA0DF5.job
- d:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-10-29 20:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - d:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - d:\documents and settings\James.JAMES-DESKTOP\Application Data\Mozilla\Firefox\Profiles\o9fabn40.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://www.msn.co ... fforum.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: d:\documents and settings\James.JAMES-DESKTOP\Application Data\Mozilla\Firefox\Profiles\o9fabn40.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 00:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
d:\program files\SUPERAntiSpyware\SASWINLO.DLL
d:\windows\system32\WININET.dll
.
Completion time: 2010-07-27 00:20:36
ComboFix-quarantined-files.txt 2010-07-27 04:20

Pre-Run: 1,251,401,728 bytes free
Post-Run: 1,853,415,424 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 2C7CB1C5105E9405CE43542A76A3503D
jkkyler
Active Member
 
Posts: 9
Joined: June 24th, 2010, 7:04 pm

Re: Browser re-direct

Unread postby melboy » July 28th, 2010, 8:12 am

Hi

jkkyler wrote:BTW before I have ran anything you have asked me I have disabled winpatrol,webroot/spysweeper/antivrus services, asquared, and windows defender and winpatrol.


Ok, keep a2, Windows Defender and WinPatrol disabled for now. Make sure after running combofix you re-enable your Webroot antivirus and only disable it when I specifically request you to when running combofix or other scans. I will tell you which scans these are at the time.

Please give me an update on how things are running along with the MBAM log requested below, also post me the contents of:
D:\Qoobox\ComboFix-quarantined-files.txt


TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.


    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser re-direct

Unread postby jkkyler » July 28th, 2010, 8:31 am

As far as I can tell I am 'clean', initially after all my webroot pop-ups claiming xxx.com has been blocked finished I cleared my quarantine list and rebooted. Now everything seems fine. My daughter is taking a summer AP course for college creit and was doing research yesterday and said she had no probs. I am able to browse normally w/o any issues so far. I went to a site that I know tries to give me a re-direct and phish my cookies and was alerted properly as in the past. I will certainly take the above actions to be sure and let you know how things are. Hopefully this is it. I do some consulting work freelance in VBA and SQL server database design and management and consider my self a fairly advanced user. This was the first time I haven't been able to handle an infection by myself with the help of hijackthis and antivirus tools. I plan on applying for acceptance to the malware university as I would like to be able to help others but I want to make sure that I am clean first. I hope there is a special place in hell for the people who design and distribute malware.
jkkyler
Active Member
 
Posts: 9
Joined: June 24th, 2010, 7:04 pm

Re: Browser re-direct

Unread postby melboy » July 28th, 2010, 2:13 pm

OK, good - Post when ready.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser re-direct

Unread postby NonSuch » August 1st, 2010, 6:47 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27301
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: M2Judy, pgmigg and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware