Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

constant redirects...please HELP!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

constant redirects...please HELP!!!

Unread postby level18barbarian » August 7th, 2010, 4:36 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:31 PM, on 8/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
H:\WINDOWS\ehome\ehtray.exe
H:\Program Files\Creative\ShareDLL\CtNotify.exe
H:\WINDOWS\system32\RunDll32.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\iTunes\iTunesHelper.exe
H:\Documents and Settings\chris manley\Local Settings\Application Data\asam.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Creative\ShareDLL\MediaDet.exe
H:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\system32\CTsvcCDA.exe
H:\WINDOWS\eHome\ehRecvr.exe
H:\WINDOWS\eHome\ehSched.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\MsPMSPSv.exe
H:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\dllhost.exe
H:\WINDOWS\eHome\ehmsas.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80103
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80103
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] H:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Disc Detector] H:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] H:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [upgoqslb] H:\Documents and Settings\chris manley\Local Settings\Application Data\qsduseqvk\fxfqmwotssd.exe
O4 - HKLM\..\Run: [asam] H:\Documents and Settings\chris manley\Local Settings\Application Data\asam.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "H:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [upgoqslb] H:\Documents and Settings\chris manley\Local Settings\Application Data\qsduseqvk\fxfqmwotssd.exe
O4 - HKCU\..\Run: [asam] H:\Documents and Settings\chris manley\Local Settings\Application Data\asam.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] H:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Startup: Adobe Gamma.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.line6.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{63B4AFA0-5BE8-4914-B790-462D8C3F7915}: NameServer = 93.188.162.12,93.188.161.51
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.12,93.188.161.51
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - H:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c988b7520d0ef0) (gupdate1c988b7520d0ef0) - Google Inc. - H:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - H:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8251 bytes
level18barbarian
Regular Member
 
Posts: 39
Joined: December 10th, 2008, 8:14 pm
Advertisement
Register to Remove

Re: constant redirects...please HELP!!!

Unread postby askey127 » August 10th, 2010, 9:57 am

Hi level18barbarian,
toolbar.inbox.com is listed by hphosts as a site involved in malware distribution.
I would stay away from it.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80103
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80103
O4 - HKLM\..\Run: [upgoqslb] H:\Documents and Settings\chris manley\Local Settings\Application Data\qsduseqvk\fxfqmwotssd.exe
O4 - HKLM\..\Run: [asam] H:\Documents and Settings\chris manley\Local Settings\Application Data\asam.exe
O15 - Trusted Zone: *.line6.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{63B4AFA0-5BE8-4914-B790-462D8C3F7915}: NameServer = 93.188.162.12,93.188.161.51
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.12,93.188.161.51

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT(RESTART) Your Machine
-----------------------------------------------------------
Flush DNS Cache
  • Click Start, Run
  • In the box, type the following, and then hit Enter: ipconfig /flushdns
  • A window will flash on and off. This is normal.
----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware
Please go here to the Download Location, click on Download.
  • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
  • Choose Desktop as the location to save the installer and click Save again.
  • You should now have a desktop icon named mbam-setup.exe. Double-click it.
  • Let it install the program where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
  • You can now delete the installer icon, named mbam-setup.exe from your desktop.

Please post the log from Malwarebytes Anti-malware and a fresh HiJackThis log.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: constant redirects...please HELP!!!

Unread postby level18barbarian » August 10th, 2010, 5:47 pm

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

8/10/2010 2:36:09 PM
mbam-log-2010-08-10 (14-36-09).txt

Scan type: Quick Scan
Objects scanned: 108471
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
H:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.
H:\WINDOWS\system32\spool\prtprocs\w32x86\00001815.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:25 PM, on 8/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
H:\WINDOWS\ehome\ehtray.exe
H:\Program Files\Creative\ShareDLL\CtNotify.exe
H:\WINDOWS\system32\RunDll32.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\iTunes\iTunesHelper.exe
H:\Documents and Settings\chris manley\Local Settings\Application Data\asam.exe
H:\Program Files\Creative\ShareDLL\MediaDet.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\system32\CTsvcCDA.exe
H:\WINDOWS\eHome\ehRecvr.exe
H:\WINDOWS\eHome\ehSched.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\MsPMSPSv.exe
H:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
H:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
H:\WINDOWS\eHome\ehmsas.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\dllhost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] H:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Disc Detector] H:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] H:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "H:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [upgoqslb] H:\Documents and Settings\chris manley\Local Settings\Application Data\qsduseqvk\fxfqmwotssd.exe
O4 - HKLM\..\Run: [asam] H:\Documents and Settings\chris manley\Local Settings\Application Data\asam.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "H:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Gamma.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - H:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - H:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c988b7520d0ef0) (gupdate1c988b7520d0ef0) - Google Inc. - H:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - H:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7323 bytes
level18barbarian
Regular Member
 
Posts: 39
Joined: December 10th, 2008, 8:14 pm

Re: constant redirects...please HELP!!!

Unread postby askey127 » August 10th, 2010, 7:13 pm

level18barbarian,
I notice the system is on Drive H:\
What else is on the machine?
I need to know because one of the common recent infection issues involves the Master Boot Record.
-----------------------------------------------
Right click the Avira Antivir umbrella in the System tray, and choose Start Antivir.
When the Control Window comes up, click Start Update.
When the update completes, click Scan System Now.
Let it finish.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

How is the machine behaving?
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: constant redirects...please HELP!!!

Unread postby level18barbarian » August 12th, 2010, 12:43 pm

my computer has :
C: (hard drive)storage for games pics ect.
D:, E: , F: , I: and J: drives are all one Multi-Card reader, with slots for different memory cards and 1 usb slot.
G: is a dvd player
H: is my main HD, i had to replace my HD once and loaded windows onto the new drive which became h:.



Avira AntiVir Premium
Report file date: Wednesday, August 11, 2010 15:42

Scanning for 2708713 virus strains and unwanted programs.

Licensed to: chris manley
Serial number: 2200105408-PEPWE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: MINE

Version information:
BUILD.DAT : 8.2.0.385 21404 Bytes 10/23/2009 13:36:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/25/2008 12:01:21
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 19:04:56
ANTIVIR1.VDF : 7.10.9.170 16733040 Bytes 7/23/2010 15:21:52
ANTIVIR2.VDF : 7.10.10.141 1892256 Bytes 8/10/2010 20:12:10
ANTIVIR3.VDF : 7.10.10.151 73728 Bytes 8/11/2010 00:37:22
Engineversion : 8.2.4.34
AEVDF.DLL : 8.1.2.1 106868 Bytes 7/30/2010 00:54:22
AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 7/30/2010 00:54:22
AESCN.DLL : 8.1.6.1 127347 Bytes 5/13/2010 00:40:36
AESBX.DLL : 8.1.3.1 254324 Bytes 4/23/2010 22:05:28
AERDL.DLL : 8.1.8.2 614772 Bytes 7/20/2010 21:34:48
AEPACK.DLL : 8.2.3.5 471412 Bytes 8/7/2010 01:53:50
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/21/2010 23:44:52
AEHEUR.DLL : 8.1.2.11 2834805 Bytes 8/7/2010 01:53:46
AEHELP.DLL : 8.1.13.2 242039 Bytes 7/20/2010 21:34:44
AEGEN.DLL : 8.1.3.19 393587 Bytes 8/7/2010 01:53:46
AEEMU.DLL : 8.1.2.0 393588 Bytes 4/23/2010 22:05:26
AECORE.DLL : 8.1.16.2 192887 Bytes 7/20/2010 21:34:42
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 22:05:24
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.7 159784 Bytes 3/7/2010 12:00:35
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2564353 Bytes 6/12/2008 22:29:30
RCTEXT.DLL : 8.0.51.0 86273 Bytes 6/27/2008 20:00:56

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: H:\Program Files\Avira\AntiVir PersonalEdition Premium\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, H:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, August 11, 2010 15:42

Starting search for hidden objects.
'62290' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avwebgrd.exe' - '1' Module(s) have been scanned
Scan process 'avmailc.exe' - '1' Module(s) have been scanned
Scan process 'avesvc.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'SSScheduler.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehRecvr.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'MEDIADET.EXE' - '1' Module(s) have been scanned
Scan process 'asam.exe' - '1' Module(s) have been scanned
Module is infected -> 'H:\Documents and Settings\chris manley\Local Settings\Application Data\asam.exe'
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTNOTIFY.EXE' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'asam.exe' has been terminated
H:\Documents and Settings\chris manley\Local Settings\Application Data\asam.exe
[DETECTION] Is the TR/Agent.61184 Trojan
[NOTE] The file was moved to '4cc42817.qua'!

51 processes with 50 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD5
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD6
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!

Starting to scan the registry.
H:\Documents and Settings\chris manley\Local Settings\Application Data\qsduseqvk\fxfqmwotssd.exe
[DETECTION] Is the TR/Dropper.Gen2 Trojan
[NOTE] The file was moved to '4cc92823.qua'!

The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\' <Dak>
Begin scan in 'H:\'
H:\pagefile.sys
[WARNING] The file could not be opened!
H:\Documents and Settings\chris manley\Desktop\QuickTime_Update_KB673901.exe
[DETECTION] Is the TR/Dldr.Tracur.A.99 Trojan
[NOTE] The file was moved to '4ccc4197.qua'!
H:\Documents and Settings\chris manley\Local Settings\Application Data\syssvc.exe
[DETECTION] Is the TR/Agent.61184 Trojan
[NOTE] The file was moved to '4cd641d4.qua'!
H:\Documents and Settings\chris manley\Local Settings\temp\irNc.exe
[DETECTION] Is the TR/Dropper.Gen2 Trojan
[NOTE] The file was moved to '4cb1423a.qua'!
H:\Qoobox\Quarantine\H\Documents and Settings\chris manley\Application Data\Mozilla\Firefox\Profiles\cfca2ujj.default\extensions\{9ddeb52c-42d8-49d2-a819-4d4e8fcfd0c0}\chrome\xulcache.jar.vir
[0] Archive type: ZIP
--> content/overlay.xul
[DETECTION] Contains recognition pattern of the JS/Gord.E Java script virus
[NOTE] The file was moved to '4ccf497b.qua'!
H:\Qoobox\Quarantine\H\Documents and Settings\chris manley\Application Data\SystemProc\lsass.exe.vir
[DETECTION] Is the TR/Malex.115200F Trojan
[NOTE] The file was moved to '4cc44979.qua'!
H:\Qoobox\Quarantine\H\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul.vir
[DETECTION] Contains recognition pattern of the JS/Agent.1119.A Java script virus
[NOTE] The file was moved to '4cd04970.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\45.tmp.vir
[DETECTION] Is the TR/Dldr.Agent.dhjd Trojan
[NOTE] The file was moved to '4c91493c.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\avifile32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4ccc497e.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\bdco1ins32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33138.A root kit
[NOTE] The file was moved to '4cc6496c.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\bitsprx232.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4cd74971.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\camocx32.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4cd04969.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\CmdLineExt32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4cc74976.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\compatui32.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4cd04978.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\compobj32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4d5eed59.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\d3d832.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4cc7493d.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\d3dx9_3132.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4d49ed1e.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dbghelp32.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4cca496c.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\ddeml32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4cc8496f.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dgsetup32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4cd64972.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dgsetup3232.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4d58ed53.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dmserver32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4cd64978.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dnssd32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4cd6497a.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dot3dlg32.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4cd7497b.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dpcdll32.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/33285.A root kit
[NOTE] The file was moved to '4cc6497c.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dpus1132.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4cd8497d.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dsdmo32.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4cc74980.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\dskquota32.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4cce4980.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c001A25E.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4cc6496d.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c002B110.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4d48ed4e.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c002BC16.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4cc6496f.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c004BABD.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4d48ed50.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c00559D6.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4cc6496e.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c008717.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4d48ed4f.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c008F982.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4cc64970.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c009B194.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4cc64971.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c009DC76.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4d48ed52.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c00B0F09.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4cc64973.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c00B3094.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4d48ed54.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c00D3F6.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4d48ed51.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\__c00F92D0.dat.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4cc64972.qua'!
H:\Qoobox\Quarantine\H\WINDOWS\system32\___c00A4390_.dat.zip
[0] Archive type: ZIP
--> __c00A4390.dat
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to '4cc24970.qua'!
H:\System Volume Information\_restore{B58AE51E-E2CA-4441-A445-7BB88A7F254A}\RP616\A0173932.exe
[DETECTION] Is the TR/Agent.61184 Trojan
[NOTE] The file was moved to '4c944961.qua'!
H:\System Volume Information\_restore{B58AE51E-E2CA-4441-A445-7BB88A7F254A}\RP616\A0173933.exe
[DETECTION] Is the TR/Dropper.Gen2 Trojan
[NOTE] The file was moved to '4d18dd82.qua'!
H:\System Volume Information\_restore{B58AE51E-E2CA-4441-A445-7BB88A7F254A}\RP617\A0173934.exe
[DETECTION] Is the TR/Dldr.Tracur.A.99 Trojan
[NOTE] The file was moved to '4c944962.qua'!
H:\System Volume Information\_restore{B58AE51E-E2CA-4441-A445-7BB88A7F254A}\RP617\A0173935.exe
[DETECTION] Is the TR/Agent.61184 Trojan
[NOTE] The file was moved to '4c944963.qua'!


End of the scan: Wednesday, August 11, 2010 18:16
Used time: 2:33:54 Hour(s)

The scan has been done completely.

20105 Scanning directories
942647 Files were scanned
48 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
47 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
942598 Files not concerned
3024 Archives were scanned
5 Warnings
47 Notes
62290 Objects were scanned with rootkit scan
0 Hidden objects were found
level18barbarian
Regular Member
 
Posts: 39
Joined: December 10th, 2008, 8:14 pm

Re: constant redirects...please HELP!!!

Unread postby askey127 » August 12th, 2010, 3:42 pm

level18barbarian,
That's better for sure.
There was quite a bit that was allowed in, at least partly due to the absence of a good antivirus.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: constant redirects...please HELP!!!

Unread postby level18barbarian » August 12th, 2010, 4:20 pm

my antivir has not been updating due to some proxy error junk...i did some looking around and found a solution to that...antivir seems fixed. however in my search for a fix i was being redirected once again.




5Spice Analysis 1.60
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Athlon 64 Processor Driver
Avira AntiVir Premium
BioShock
Bonjour
Call of Duty(R) - World at War(TM)
Call of Duty(R) - World at War(TM) 1.1 Patch
Collab
Contextual Platform Adsoftinc
DAOC-Charplan
Dark Age of Camelot
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EVGA Display Driver
FL Studio 8
GIMP 2.6.8
Google Chrome
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
IL Download Manager
iTunes
J2SE Runtime Environment 5.0 Update 14
Java(TM) 6 Update 17
Java(TM) 6 Update 7
Line 6 Uninstaller
Live 5.2.2
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.2)
Nero Suite
NVIDIA Drivers
NVIDIA PhysX v8.09.04
PoiZone
Power Tab Editor 1.7
QuickTime
Realtek AC'97 Audio
RON Tool Adsoftinc
SecondLife (remove only)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sound Blaster Extigy
Star Wars Empire at War
Star Wars JK II Jedi Outcast
Star Wars Knights of the Old Republic
Toxic Biohazard
Unreal Tournament
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Variax Workbench (remove only)
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
level18barbarian
Regular Member
 
Posts: 39
Joined: December 10th, 2008, 8:14 pm

Re: constant redirects...please HELP!!!

Unread postby askey127 » August 13th, 2010, 8:13 am

level18barbarian,
You have had a lot of rootkits and/or their related infected files.
It's not clear whether this machine can be cleaned using online methods, without a complete Reformat and Re-Install of Windows.
It is also likely that any private data (account numbers, passwords, PIN numbers, etc.) used or saved on this machine have been compromised.
Take whatever precautions you think advisable (notifying financial institutions, etc).
-----------------------------------------------------------
Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. UNCHECK the following ...
    • IAT/EAT
    • Show All (don't miss this one)
  • Now Make Sure this box IS CHECKED > Drives/Partitions other than C:\
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: constant redirects...please HELP!!!

Unread postby level18barbarian » August 13th, 2010, 7:38 pm

hey askey127, i dont really store sensitive stuff on this comp, and if i do have to format its no big deal......but i hope i dont have to.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-13 16:29:50
Windows 5.1.2600 Service Pack 3
Running: 4y17ioqq.exe; Driver: H:\DOCUME~1\CHRISM~1\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT BAEAFB6C ZwCreateThread
SSDT BAEAFB58 ZwOpenProcess
SSDT BAEAFB5D ZwOpenThread
SSDT BAEAFB67 ZwTerminateProcess
SSDT BAEAFB62 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? xfbdi.sys The system cannot find the file specified. !
.rsrc H:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xBA721780]
.text H:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9661360, 0x32E00D, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort3 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort4 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort5 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-12 [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1f [BA714B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File H:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
level18barbarian
Regular Member
 
Posts: 39
Joined: December 10th, 2008, 8:14 pm

Re: constant redirects...please HELP!!!

Unread postby askey127 » August 14th, 2010, 6:29 am

level18barbarian,
I am going to have you run a scan with Combofix, and then run Combofix again with a script to get rid of a rootkit variant.
Don't do the second part until you have posted the log from the first scan, or the original log and its information may be overwritten.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE ANTIVIR GUARD - right click the umbrella in the system tray and click once on "Antivir Guard enable"
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
-------------------------------------------------------------
Only AFTER you have posted the results from the first Combofix log, proceed as follows:
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    TDL::
    H:\WINDOWS\system32\drivers\atapi.sys
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (xxx.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

So we are looking for the contents of two combofix logs, one after the other.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: constant redirects...please HELP!!!

Unread postby level18barbarian » August 15th, 2010, 4:17 am

ComboFix 10-08-14.02 - chris manley 08/15/2010 1:01.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2674 [GMT -7:00]
Running from: h:\documents and settings\chris manley\Desktop\zzz.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of h:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-15 06:38 . 2010-08-15 06:38 19024 ----a-w- h:\documents and settings\chris user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-15 06:38 . 2010-08-15 06:39 -------- d-----w- h:\documents and settings\chris user\Application Data\DAoC Portal
2010-08-15 00:23 . 2010-08-15 00:23 -------- d-----w- h:\documents and settings\LocalService\Application Data\McAfee
2010-08-14 00:07 . 2010-08-14 15:39 -------- d-----w- h:\windows\system32\NtmsData
2010-08-14 00:07 . 2010-08-14 00:07 -------- d-----w- h:\documents and settings\chris manley\Application Data\Avira
2010-08-13 23:53 . 2010-08-14 00:03 60936 ----a-w- h:\windows\system32\drivers\avgntflt.sys
2010-08-13 23:53 . 2010-08-14 00:03 124784 ----a-w- h:\windows\system32\drivers\avipbb.sys
2010-08-13 23:53 . 2010-08-13 23:42 22360 ----a-w- h:\windows\system32\drivers\avgntmgr.sys
2010-08-13 23:53 . 2010-08-13 23:42 45416 ----a-w- h:\windows\system32\drivers\avgntdd.sys
2010-08-13 23:53 . 2010-08-13 23:53 -------- d-----w- h:\program files\Avira
2010-08-13 23:40 . 2010-08-13 23:40 27591840 ----a-w- h:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-10 23:07 . 2010-08-10 23:07 -------- d-----w- h:\documents and settings\All Users\Application Data\McAfee
2010-08-07 17:27 . 2010-08-07 17:29 -------- d-----w- h:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 06:35 . 2010-08-15 06:35 -------- d-----w- h:\documents and settings\chris user\Application Data\Creative
2010-08-15 06:11 . 2008-08-24 01:07 -------- d-----w- h:\documents and settings\chris manley\Application Data\DAoC Portal
2010-08-15 00:34 . 2009-01-04 04:12 -------- d-----w- h:\documents and settings\All Users\Application Data\Google Updater
2010-08-13 23:53 . 2008-08-26 00:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Avira
.

((((((((((((((((((((((((((((( SnapShot@2010-03-09_18.00.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 h:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 h:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 h:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 h:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-07-12 04:54 . 2009-07-12 04:54 65536 h:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 49152 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 49152 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 61440 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 61440 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 61440 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 57344 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 65536 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 45056 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 04:32 . 2009-07-12 04:32 40960 h:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 09:07 . 2009-07-12 09:07 57856 h:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 09:19 . 2009-07-12 09:19 69632 h:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-12 03:41 . 2009-07-12 03:41 97280 h:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2010-04-27 21:20 . 2010-04-27 21:20 16384 h:\windows\Temp\Perflib_Perfdata_5b0.dat
+ 2004-08-10 12:00 . 2010-03-23 23:58 67574 h:\windows\system32\perfc009.dat
- 2004-08-10 12:00 . 2010-02-21 05:37 67574 h:\windows\system32\perfc009.dat
+ 2008-08-24 20:46 . 2010-03-06 21:44 84507 h:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2010-08-13 23:53 . 2010-08-13 23:42 28520 h:\windows\system32\drivers\ssmdrv.sys
+ 2008-12-16 06:25 . 2010-01-08 00:07 38224 h:\windows\system32\drivers\mbamswissarmy.sys
+ 2008-12-16 06:25 . 2010-01-08 00:07 19160 h:\windows\system32\drivers\mbam.sys
+ 2010-04-20 05:57 . 2010-04-20 05:57 49664 h:\windows\Installer\c7a230e.msi
+ 2010-03-18 06:56 . 2010-03-18 06:56 22528 h:\windows\Installer\158c7ce7.msi
+ 2010-04-12 23:06 . 2010-04-12 23:06 25214 h:\windows\Installer\{08C0729E-3E50-11DF-9D81-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-04-12 23:06 . 2010-04-12 23:06 25214 h:\windows\Installer\{08C0729E-3E50-11DF-9D81-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-04-12 23:06 . 2010-04-12 23:06 25214 h:\windows\Installer\{08C0729E-3E50-11DF-9D81-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-04-12 23:06 . 2010-04-12 23:06 25214 h:\windows\Installer\{08C0729E-3E50-11DF-9D81-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-04-12 23:06 . 2010-04-12 23:06 25214 h:\windows\Installer\{08C0729E-3E50-11DF-9D81-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-04-12 23:06 . 2010-04-12 23:06 25214 h:\windows\Installer\{08C0729E-3E50-11DF-9D81-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-04-12 23:06 . 2010-04-12 23:06 25214 h:\windows\Installer\{08C0729E-3E50-11DF-9D81-005056806466}\ARPPRODUCTICON.exe
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 h:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 h:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 h:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 h:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-07-12 09:12 . 2009-07-12 09:12 632656 h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 09:09 . 2009-07-12 09:09 554832 h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 09:08 . 2009-07-12 09:08 479232 h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2004-08-10 12:00 . 2010-03-23 23:58 433126 h:\windows\system32\perfh009.dat
- 2004-08-10 12:00 . 2010-02-21 05:37 433126 h:\windows\system32\perfh009.dat
+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 h:\windows\system32\Macromed\Flash\FlashUtil10e.exe
+ 2010-03-01 19:59 . 2009-10-11 12:17 149280 h:\windows\system32\javaws.exe
+ 2010-03-01 19:59 . 2009-10-11 12:17 145184 h:\windows\system32\javaw.exe
+ 2010-03-01 19:59 . 2009-10-11 12:17 145184 h:\windows\system32\java.exe
+ 2008-12-12 03:30 . 2009-10-11 12:17 411368 h:\windows\system32\deploytk.dll
+ 2010-04-14 21:41 . 2010-04-14 21:42 262144 h:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2010-08-13 23:43 . 2010-08-13 23:43 228352 h:\windows\Installer\8399c.msi
+ 2010-03-06 21:43 . 2010-03-06 21:43 424960 h:\windows\Installer\63fcd7.msi
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 h:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 h:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-07-12 04:46 . 2009-07-12 04:46 1093120 h:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 04:46 . 2009-07-12 04:46 1105920 h:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
+ 2010-04-12 23:06 . 2010-04-12 23:06 1235968 h:\windows\Installer\89a2872.msi
+ 2010-04-20 05:57 . 2010-04-20 05:57 15710720 h:\windows\Installer\c7a2315.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="h:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-02-17 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="h:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Disc Detector"="h:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488]
"AudCtrl"="AudCtrl.dll" [2002-03-21 47897]
"UpdReg"="h:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="h:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 77824]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NeroFilterCheck"="h:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="h:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-14 282792]

h:\documents and settings\chris manley\Start Menu\Programs\Startup\
Adobe Gamma.lnk - h:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - h:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\age of empires\\Copy of Age Of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\age of empires\\Copy of Age Of Empires II\\empires2.exe"=
"c:\\Games\\Steam\\SteamApps\\cblip\\condition zero\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Program Files\\LimeWire\\LimeWire.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=
"h:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"h:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"h:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe"=
"h:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\unreal tournament\\System\\UnrealTournament.exe"=
"c:\\Games\\SecondLife\\SLVoice.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Games\\Call of Duty\\CoDMP.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 AntiVirMailService;Avira AntiVir MailGuard;h:\program files\Avira\AntiVir Desktop\avmailc.exe [8/13/2010 4:53 PM 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;h:\program files\Avira\AntiVir Desktop\sched.exe [8/13/2010 4:53 PM 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;h:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/13/2010 4:53 PM 405672]
R3 L6DP;L6DP;h:\windows\system32\drivers\l6dp.sys [9/29/2006 9:05 AM 29312]
R3 sbext;Sound Blaster Extigy Audio Driver;h:\windows\system32\drivers\sbext.sys [8/23/2008 5:29 PM 1152916]
S2 gupdate1c988b7520d0ef0;Google Update Service (gupdate1c988b7520d0ef0);h:\program files\Google\Update\GoogleUpdate.exe [2/6/2009 5:02 PM 133104]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);h:\windows\system32\drivers\GPWADrv.sys [9/29/2006 9:01 AM 472832]
S3 L6PODLV;PODxt Live Service;h:\windows\system32\drivers\L6PODLV.sys [9/29/2006 9:01 AM 472832]
S3 L6TPortB;Service - Line 6 TonePort UX2;h:\windows\system32\drivers\L6TPortB.sys [9/29/2006 9:01 AM 472832]
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-15 h:\windows\Tasks\Google Software Updater.job
- h:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-04 21:47]

2010-08-15 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- h:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 00:02]

2010-08-15 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- h:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
LSP: h:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - h:\documents and settings\chris manley\Application Data\Mozilla\Firefox\Profiles\cfca2ujj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - plugin: h:\documents and settings\chris manley\Application Data\Mozilla\Firefox\Profiles\cfca2ujj.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: h:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: h:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: h:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - trueh:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-asam - h:\documents and settings\chris manley\Local Settings\Application Data\asam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 01:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = h:\program files\Creative\ShareDLL\CtNotify.exe?X???^???????????????E?@?Disc Detector?A????? ?A?@ ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?? ????B???@?????P?????@?? ??????~?B~??????????@???????????????????B?????? ???????????????????`??????r?B
CTStartup = h:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&3?????\??? ??? ???\???\???????????5?B~e?B~\???\?????????`??????C@?\???\??????s????\??????s\????&3?A??s?&3??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-651377827-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:df,34,bb,6f,1c,09,e6,24,51,7d,32,48,4f,5f,7a,07,ba,2c,08,cb,93,b8,e5,
4f,28,e5,42,47,74,13,b1,c6,ec,c9,24,9c,a8,94,9b,19,09,79,ca,55,0e,15,9c,98,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(732)
h:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(2444)
h:\program files\Avira\AntiVir Desktop\avsda.dll
h:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(392)
h:\program files\Avira\AntiVir Desktop\avsda.dll
h:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-08-15 01:07:40
ComboFix-quarantined-files.txt 2010-08-15 08:07
ComboFix2.txt 2010-03-09 18:04

Pre-Run: 83,741,343,744 bytes free
Post-Run: 83,932,528,640 bytes free

- - End Of File - - B58DA9F99B41111E80C26C5E9F691057
level18barbarian
Regular Member
 
Posts: 39
Joined: December 10th, 2008, 8:14 pm

Re: constant redirects...please HELP!!!

Unread postby level18barbarian » August 15th, 2010, 4:25 am

ComboFix 10-08-14.02 - chris manley 08/15/2010 1:19.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2502 [GMT -7:00]
Running from: h:\documents and settings\chris manley\Desktop\zzz.exe
Command switches used :: h:\documents and settings\chris manley\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.

((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-15 07:59 . 2010-08-15 08:07 -------- d-----w- H:\zzz
2010-08-15 06:38 . 2010-08-15 06:38 19024 ----a-w- h:\documents and settings\chris user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-15 06:38 . 2010-08-15 06:39 -------- d-----w- h:\documents and settings\chris user\Application Data\DAoC Portal
2010-08-15 00:23 . 2010-08-15 00:23 -------- d-----w- h:\documents and settings\LocalService\Application Data\McAfee
2010-08-14 00:07 . 2010-08-14 15:39 -------- d-----w- h:\windows\system32\NtmsData
2010-08-14 00:07 . 2010-08-14 00:07 -------- d-----w- h:\documents and settings\chris manley\Application Data\Avira
2010-08-13 23:53 . 2010-08-14 00:03 60936 ----a-w- h:\windows\system32\drivers\avgntflt.sys
2010-08-13 23:53 . 2010-08-14 00:03 124784 ----a-w- h:\windows\system32\drivers\avipbb.sys
2010-08-13 23:53 . 2010-08-13 23:42 22360 ----a-w- h:\windows\system32\drivers\avgntmgr.sys
2010-08-13 23:53 . 2010-08-13 23:42 45416 ----a-w- h:\windows\system32\drivers\avgntdd.sys
2010-08-13 23:53 . 2010-08-13 23:53 -------- d-----w- h:\program files\Avira
2010-08-13 23:40 . 2010-08-13 23:40 27591840 ----a-w- h:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-10 23:07 . 2010-08-10 23:07 -------- d-----w- h:\documents and settings\All Users\Application Data\McAfee
2010-08-07 17:27 . 2010-08-07 17:29 -------- d-----w- h:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 06:35 . 2010-08-15 06:35 -------- d-----w- h:\documents and settings\chris user\Application Data\Creative
2010-08-15 06:11 . 2008-08-24 01:07 -------- d-----w- h:\documents and settings\chris manley\Application Data\DAoC Portal
2010-08-15 00:34 . 2009-01-04 04:12 -------- d-----w- h:\documents and settings\All Users\Application Data\Google Updater
2010-08-13 23:53 . 2008-08-26 00:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Avira
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="h:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-02-17 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="h:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Disc Detector"="h:\program files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 191488]
"AudCtrl"="AudCtrl.dll" [2002-03-21 47897]
"UpdReg"="h:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="h:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 77824]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NeroFilterCheck"="h:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="h:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-14 282792]

h:\documents and settings\chris manley\Start Menu\Programs\Startup\
Adobe Gamma.lnk - h:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - h:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\age of empires\\Copy of Age Of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\age of empires\\Copy of Age Of Empires II\\empires2.exe"=
"c:\\Games\\Steam\\SteamApps\\cblip\\condition zero\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Program Files\\LimeWire\\LimeWire.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=
"h:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"h:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"h:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe"=
"h:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\unreal tournament\\System\\UnrealTournament.exe"=
"c:\\Games\\SecondLife\\SLVoice.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Games\\Call of Duty\\CoDMP.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 AntiVirMailService;Avira AntiVir MailGuard;h:\program files\Avira\AntiVir Desktop\avmailc.exe [8/13/2010 4:53 PM 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;h:\program files\Avira\AntiVir Desktop\sched.exe [8/13/2010 4:53 PM 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;h:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/13/2010 4:53 PM 405672]
R3 L6DP;L6DP;h:\windows\system32\drivers\l6dp.sys [9/29/2006 9:05 AM 29312]
R3 sbext;Sound Blaster Extigy Audio Driver;h:\windows\system32\drivers\sbext.sys [8/23/2008 5:29 PM 1152916]
S2 gupdate1c988b7520d0ef0;Google Update Service (gupdate1c988b7520d0ef0);h:\program files\Google\Update\GoogleUpdate.exe [2/6/2009 5:02 PM 133104]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);h:\windows\system32\drivers\GPWADrv.sys [9/29/2006 9:01 AM 472832]
S3 L6PODLV;PODxt Live Service;h:\windows\system32\drivers\L6PODLV.sys [9/29/2006 9:01 AM 472832]
S3 L6TPortB;Service - Line 6 TonePort UX2;h:\windows\system32\drivers\L6TPortB.sys [9/29/2006 9:01 AM 472832]
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-15 h:\windows\Tasks\Google Software Updater.job
- h:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-04 21:47]

2010-08-15 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- h:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 00:02]

2010-08-15 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- h:\program files\Google\Update\GoogleUpdate.exe [2009-02-07 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
LSP: h:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - h:\documents and settings\chris manley\Application Data\Mozilla\Firefox\Profiles\cfca2ujj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - plugin: h:\documents and settings\chris manley\Application Data\Mozilla\Firefox\Profiles\cfca2ujj.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: h:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: h:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: h:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - trueh:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 01:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = h:\program files\Creative\ShareDLL\CtNotify.exe?X???^???????????????E?@?Disc Detector?A????? ?A?@ ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?? ????B???@?????P?????@?? ??????~?B~??????????@???????????????????B?????? ???????????????????`??????r?B
CTStartup = h:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&3?????\??? ??? ???\???\???????????5?B~e?B~\???\?????????`??????C@?\???\??????s????\??????s\????&3?A??s?&3??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-651377827-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:df,34,bb,6f,1c,09,e6,24,51,7d,32,48,4f,5f,7a,07,ba,2c,08,cb,93,b8,e5,
4f,28,e5,42,47,74,13,b1,c6,ec,c9,24,9c,a8,94,9b,19,09,79,ca,55,0e,15,9c,98,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(732)
h:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3632)
h:\program files\Avira\AntiVir Desktop\avsda.dll
hope i did this right....


h:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(1988)
h:\program files\Avira\AntiVir Desktop\avsda.dll
h:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-08-15 01:23:22
ComboFix-quarantined-files.txt 2010-08-15 08:23
ComboFix2.txt 2010-08-15 08:07
ComboFix3.txt 2010-03-09 18:04

Pre-Run: 83,942,670,336 bytes free
Post-Run: 83,927,384,064 bytes free

- - End Of File - - 954A46DEEA19803C35AF84DE86D7831A
level18barbarian
Regular Member
 
Posts: 39
Joined: December 10th, 2008, 8:14 pm

Re: constant redirects...please HELP!!!

Unread postby askey127 » August 15th, 2010, 8:12 am

level18barbarian,
There is still some work to do, but that's good so far.
We will replace all the old, vulnerable Java versions, and then run a Kaspersky scan to make sure we got all the bad files.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

J2SE Runtime Environment 5.0 Update 14
Java(TM) 6 Update 17
Java(TM) 6 Update 7

Take extra care in answering questions posed by any Uninstaller.
------------------------------------------------------------
Download and Install the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
In the first section on the page, labeled JDK 6 Update 21 (JDK or JRE), click on the button labeled Download JRE. Do NOT choose the button labeled "Download JDK".
Select the Platform Windows and check the box to agree to the license.
Choose the Windows Offline installation version and click on the link.
Download it, choose Save, and save it to your desktop.
Then doubleclick it on your desktop, and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
-----------------------------------------------------
Run an Online Kaspersky WebScan
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the Program and Database downloads have finished, (may take a while), Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post the contents of this log in your next reply.

Looking for the results from the Kaspersky scan. It's slow, but very thorough. Please be patient.

(There is also an issue with Acrobat 5. We will tackle that later.)
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: constant redirects...please HELP!!!

Unread postby level18barbarian » August 15th, 2010, 7:59 pm

ok, i have removed the three programs but when i try to download the new stuff it says: "Your download transaction cannot be approved". so i cant go any further. i'm not sure what i should do now.
level18barbarian
Regular Member
 
Posts: 39
Joined: December 10th, 2008, 8:14 pm

Re: constant redirects...please HELP!!!

Unread postby askey127 » August 15th, 2010, 8:34 pm

------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop:
One, Two,Three or Four
  • Double click on Rkill.
  • A command window will open, then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue. If you cannot get one of the downloads to work for you, try one of the other links.
If you cannot get Rkill to run without being stopped, don't proceed further, and post back to tell me about it.

Then see if you can complete the requested "transactions".
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware