Browsers opening pages to unwanted Internet sites

Inactive
By sigsky
Feb 10, 2011
Topic Status:
Not open for further replies.
  1. This is happening to both my desktop and laptop. Laptop networked via a wireless router. Internet Explorer and Firefox are affected. I have scanned with AVG, Malwarebytes, Spybot S&D, and have SpywareBlaster enabled. None report problems. Running Vista Home Premium on both computers.

    Pages that are opening do not appear to be malicious and are easily closed. I have not clicked on any of the links provided.

    I have carefully followed your instructions for Preliminary Removal which went as described except that Gmer didn't seem to do much. I noticed the button for "Scan" but I did not select it since it was not indicated in your instructions. Logs follow

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5733

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    2/10/2011 1:16:14 PM
    mbam-log-2011-02-10 (13-16-14).txt

    Scan type: Quick scan
    Objects scanned: 151154
    Time elapsed: 4 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-10 13:21:13
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST332083 rev.3.AA
    Running: c5oisnhl.exe; Driver: C:\Users\John\AppData\Local\Temp\kflcapog.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by John at 13:21:43.73 on Thu 02/10/2011
    Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_23
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1141 [GMT -5:00]

    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    C:\Program Files\DS Clock\dsetime.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k wdisvc
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\Explorer.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\John\Download\VirusRemoval\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://my.yahoo.com/
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    uPolicies-explorer: NoStrCmpLogical = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444543540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup162.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\mkrc2kst.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb7b07e&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\john\appdata\roaming\move networks\plugins\npqmp071504000001.dll
    FF - plugin: c:\users\john\appdata\roaming\mozilla\plugins\npoctoshape.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
    R2 DSClockSyncTime;DS Clock Synchronization Service www.dualitysoft.com;c:\program files\ds clock\dsetime.exe [2011-1-18 62264]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-19 21504]
    R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
    R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-8-24 1153368]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2006-12-18 5504]
    R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-5-22 155648]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
    S2 gupdate1c99825db5dda72;Google Update Service (gupdate1c99825db5dda72);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
    S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-11-18 36312]
    S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
    S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-9-19 21504]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    SUnknown WPFFontCache_v0400;WPFFontCache_v0400; [x]

    =============== Created Last 30 ================

    2011-02-10 09:30:04 -------- d-----w- c:\progra~2\SITEguard
    2011-02-10 09:29:02 -------- d-----w- c:\program files\common files\iS3
    2011-02-10 09:29:02 -------- d-----w- c:\progra~2\STOPzilla!
    2011-02-08 09:47:19 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-02-05 17:39:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-05 17:39:59 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-02-05 16:11:25 -------- d-----w- c:\program files\Winamp Detect
    2011-01-29 13:54:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-29 13:54:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-29 13:54:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-18 09:52:41 -------- d-----w- c:\users\john\appdata\roaming\Duality Software
    2011-01-18 09:52:41 -------- d-----w- c:\program files\DS Clock
    2011-01-18 09:52:41 -------- d-----w- c:\progra~2\Duality Software
    2011-01-12 10:02:40 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-01-12 10:02:40 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
    2011-01-12 10:02:40 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-12 10:02:40 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
    2011-01-12 10:02:40 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
    2011-01-12 10:02:40 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
    2011-01-12 10:02:38 1169408 ----a-w- c:\windows\system32\sdclt.exe

    ==================== Find3M ====================

    2011-01-22 02:46:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-01-22 02:46:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb

    ============= FINISH: 13:22:22.75 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 12/18/2006 12:06:57 PM
    System Uptime: 2/10/2011 1:03:30 PM (0 hours ago)

    Motherboard: Intel Corporation | | DG965OT
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1862/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 288 GiB total, 174.896 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 3.203 GiB free.
    E: is Removable
    F: is Removable
    G: is Removable
    H: is CDROM (CDFS)
    I: is FIXED (NTFS) - 112 GiB total, 92.565 GiB free.
    J: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Intel(R) 82562V 10/100 Network Connection
    Device ID: PCI\VEN_8086&DEV_104C&SUBSYS_0001107B&REV_02\3&2B8E0B4B&0&C8
    Manufacturer: Intel
    Name: Intel(R) 82562V 10/100 Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_104C&SUBSYS_0001107B&REV_02\3&2B8E0B4B&0&C8
    Service: e1express

    ==== System Restore Points ===================


    ==== Installed Programs ======================


    Leawo Free AVI Converter version 2.3.0.8
    Abacast Client
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Reader 9.4.1
    Adobe Shockwave Player 11
    Apple Application Support
    Apple Software Update
    Arachnophilia 5.3
    AutoUpdate
    AVG 2011
    AVIcodec (remove only)
    CCleaner
    CDDRV_Installer
    Championship Spades All-Stars 7.40
    Creative Mass Storage Drivers
    Digital Media Reader
    DirectVobSub (remove only)
    DivX Converter
    DivX Player
    DivX Web Player
    Doom 3
    DS Clock
    Filzip 3.06
    Free Video Joiner 1.1
    FxVisor
    Gateway Recovery Center Installer
    getPlus(R) for Adobe
    Google Earth
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Interface
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Network Connections Drivers
    Intel(R) Viiv(TM) Software
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 23
    JGsoft EditPad Lite 6.2.1
    K-Lite Codec Pack 5.4.4 (Basic)
    KhalInstallWrapper
    Logitech SetPoint
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Links 2001
    Microsoft Money 2006
    Microsoft Office 97, Professional Edition
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Move Media Player
    Moyea FLV Editor Lite version: 1.1.1.835
    Mozilla Firefox (3.6.13)
    MSA20XX Device Manager
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Octoshape Streaming Services
    Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
    Personal Ancestral File 5
    PopMan 1.3
    QuickTime
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    SigmaTel Audio
    SolveigMM AVI Trimmer
    SopCast 3.2.9
    Spelling Dictionaries Support For Adobe Reader 8
    Spybot - Search & Destroy
    SpywareBlaster 4.4
    Symantec Technical Support Web Controls
    TBS WMP Plug-in
    TWC Customer Controls
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Veetle TV 0.9.18
    Virtual Pool 3 DL
    Winamp
    Winamp Detector Plug-in
    Windows Driver Package - ViXS Systems Inc. ViXS PureTV-U (11/17/2006 6.2.77.1)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Player Firefox Plugin
    WinRAR archiver

    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Welcome to TechSpot![​IMG]
    (Image courtesy animationplayhouse.com)

    So you have fallen vitim to the redirecting also, as many others have. We will need to identify the malware that is causing this. While I finish checking these logs, please run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Note: Before running the next scan, you will have to uninstall AVG. Try this first:

    Download AppRemover and save to the desktop]
    How to Use AppRemover to Remove a Complete Security Application
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      http://www.appremover.com/about/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
      [*] Check the AVG program you want to uninstall
      [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
      ====================================
      Then follow with [b]Download Combofix to your desktop from one of these locations:[/b][b]
      [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]Link 1[/url]
      [url=http://www.forospyware.com/sUBs/ComboFix.exe]Link 2[/b][/url][list]
      [*]Double click combofix.exe & follow the prompts.
      [*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      [*][B]Query- Recovery Console image[/B]
      [img]http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
    5. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    6. .Click on Yes, to continue scanning for malware
    7. .If Combofix asks you to update the program, allow
    8. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    9. .Close any open browsers.
    10. .Double click combofix.exe[​IMG] & follow the prompts to run.
    11. When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. sigsky

    sigsky Newcomer, in training Topic Starter

    Interim Question

    Hi Bobbye, Thanks for the help. I am waiting for Eset to download it's database. Looks like it is going to take an hour.

    The above procedure seems to leave me without antivirus protection after running combofix. Is that where I want to be?

    I'll post logs when this is completed.

    John
  4. sigsky

    sigsky Newcomer, in training Topic Starter

    Eset and Combofix logs

    Bobbye,

    I've finished those steps. What should I do about antivirus protection?
    Awaiting your instructions, thanks again for your help. John

    Here are the logs:

    Eset log:


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=6fe7ba86dc2838409ffd65a60c254283
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-10 10:45:26
    # local_time=2011-02-10 05:45:26 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=1032 16777213 100 95 0 40434624 0 0
    # compatibility_mode=5892 16776574 100 100 10799783 133982408 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=143701
    # found=0
    # cleaned=0
    # scan_time=3045


    Combofix log:

    ComboFix 11-02-09.05 - John 02/10/2011 18:05:57.4.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1265 [GMT -5:00]
    Running from: c:\users\John\Download\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Windows

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))
    .

    2011-02-10 23:11 . 2011-02-10 23:12 -------- d-----w- c:\users\John\AppData\Local\temp
    2011-02-10 23:11 . 2011-02-10 23:11 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-02-10 23:11 . 2011-02-10 23:11 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
    2011-02-10 23:11 . 2011-02-10 23:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-10 23:06 . 2011-02-10 23:06 -------- d-----w- c:\programdata\WindowsSearch
    2011-02-10 20:33 . 2011-02-10 20:33 -------- d-----w- c:\program files\ESET
    2011-02-10 09:30 . 2011-02-10 09:30 -------- d-----w- c:\programdata\SITEguard
    2011-02-10 09:29 . 2011-02-10 09:54 -------- d-----w- c:\programdata\STOPzilla!
    2011-02-10 09:29 . 2011-02-10 09:29 -------- d-----w- c:\program files\Common Files\iS3
    2011-02-08 09:47 . 2011-02-08 09:47 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-02-05 17:41 . 2011-02-05 17:41 -------- d-----w- c:\program files\Common Files\Java
    2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-02-05 16:11 . 2011-02-05 16:11 -------- d-----w- c:\program files\Winamp Detect
    2011-01-29 13:54 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-29 13:54 . 2011-01-29 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-29 13:54 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-18 10:27 . 2011-01-31 22:49 -------- d-----w- c:\users\Public\Download
    2011-01-18 09:52 . 2011-01-18 10:11 -------- d-----w- c:\program files\DS Clock
    2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\users\John\AppData\Roaming\Duality Software
    2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\programdata\Duality Software
    2011-01-12 10:02 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-12 10:02 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-01-12 10:02 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-01-12 10:02 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-01-12 10:02 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-01-12 10:02 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-01-12 10:02 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 22:50 . 2008-09-19 23:30 52792 ----a-w- c:\windows\system32\drivers\volmgr.sys
    2011-01-31 10:16 . 2008-09-19 23:30 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
    2011-01-22 02:46 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-01-22 02:46 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoStrCmpLogical"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
    backup=c:\windows\pss\GammaTray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
    backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
    backup=c:\windows\pss\NCProTray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
    backup=c:\windows\pss\Office Startup.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
    path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
    backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
    2006-11-18 15:01 182744 ----a-w- c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2006-12-12 15:03 106496 ----a-w- c:\windows\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2006-09-29 20:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2006-12-12 15:02 98304 ----a-w- c:\windows\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
    2008-12-19 03:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
    2006-09-26 18:56 423424 ----a-w- c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2006-12-12 15:02 81920 ----a-w- c:\windows\System32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-11-02 14:38 303104 ----a-w- c:\windows\sttray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
    "EnableNotificationsRef"=dword:00000003

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
    "EnableNotificationsRef"=dword:00000002

    R2 gupdate1c99825db5dda72;Google Update Service (gupdate1c99825db5dda72);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 133104]
    R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-11-18 36312]
    R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\E411.tmp [x]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-19 21504]
    R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-15 2794234]
    R3 WPFFontCache_v0400;WPFFontCache_v0400; [x]
    S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
    S2 DSClockSyncTime;DS Clock Synchronization Service www.dualitysoft.com;c:\program files\DS Clock\dsetime.exe [2009-11-20 62264]
    S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-28 28672]
    S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2006-12-18 5504]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

    2011-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

    2011-02-10 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]

    2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{E57A22E8-06A3-46E2-A6A3-C443A62D321E}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com/
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb7b07e&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    SafeBoot-klmdb.sys
    MSConfigStartUp-BigFix - c:\program files\Bigfix\bigfix.exe
    MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
    MSConfigStartUp-mcinfo_1171995617 - c:\users\John\AppData\Local\Temp\mcinfo_1171995617.exe
    MSConfigStartUp-Monopod - c:\users\John\AppData\Local\Temp\c.exe
    MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
    MSConfigStartUp-OxigenServiceStart - c:\program files\Oxigen\bin\OxigenService.exe
    MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
    MSConfigStartUp-TkBellExe - c:\program files\Real\RealPlayer\update\realsched.exe
    MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-10 18:12
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\E411.tmp"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(2204)
    c:\program files\Logitech\SetPoint\lgscroll.dll
    .
    Completion time: 2011-02-10 18:14:03
    ComboFix-quarantined-files.txt 2011-02-10 23:14

    Pre-Run: 188,121,661,440 bytes free
    Post-Run: 188,045,004,800 bytes free

    - - End Of File - - 9B9374AA198C3259288DA2F5EB3F9F4B
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You enable it when finished with Eset and Combofix. If you did a full uninstall of AVG and don't want it back, here are two recommendations, both free and good> use only one!
    I have noticed that there is no antivirus program running
    Avira Free
    Avast Home

    Please reboot the system after the installation is complete.

    I will be back to check Combofix.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I see 17 processes loading from the Registry on the Startup Menu. And it looks like that's after you removed 9 other processes! And are there 4 users on the machine now? That's a lot of activity to keep track of!
    =========================================
    I have a question for you about the subject: when you say "pages are opening to unwanted sites", do you mean that when you do a search, you are being redirected to a page other than what you requested? Or do you mean that pages popup with other sites or ads? Can you five me an example of one? Please do not leave an active link, but rather the Domain name like 'searchhere' or 'goodthingshere'.
    ===================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.[/b]
    Code:
    File::
    c:\windows\system32\E411.tmp
    Folder::
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    Driver::
    MEMSWEEP2
    WPFFontCache_v0400
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
  7. sigsky

    sigsky Newcomer, in training Topic Starter

    New Combofix log

    The only control over start-ups that I know of are the programs that run when you boot your computer which can be accessed by running "msconfig". I am constantly removing things that are inserted there by Adobe, Quicktime, and others. I only have 4 items checked, two of which are for my cordless mouse and the others are AVG and Spybot S&D. I don't like unnecessary things running in the background. As far a processes loading or being removed, I'm not sure except I have used "Black Viper's" site to optimize setup so maybe that is what you are referring to?

    I don't know who those users are> It's just me and my wife and we don't have separate accounts. My computer boots right to the desktop without passwords or anything. I'm not sure where all that came from. For some reason my desktop's designation seems to change periodically in my network setup but it continues to work so I haven't worried about it.

    Any advice you have to offer is most welcome.

    I had to uninstall AVG to get Combofix to run. I am going to try to find the free Avast software. The link you kindly provided whould not let me download the free version for some reason.

    OK, I intentionally did not use the word redirect in my posting because when I am accessing a page in my browser,every so often a new page opens in the background. It does not take me away from the page I am using or impede my activity. When I see these pages as tabs at the bottom, I bring them to the top to see what they are, close them, and return to what I am doing. Sometimes these pages are accompanied by a phishing or virus warning from AVG but usually not.

    I have noticed lately that sometimes when I click on a google serch return link, it will take me to an unrelated page. Normally if I close it and go back to the google results and click the link again, it takes me to the proper page.

    what follows are samples of unwanted pages which have appeared both in Firefox and Internet Explorer. I should also say that I have noticed a page briefly opening which disappears once the offending page appears. I assume this is the site that actually is doing the mischief but I haven't been able to get the domain name yet but I'll watch for it.

    This site just popped up while I was retrieving your log:
    cheapstuff.com/?d=1

    Here are some others that I have gotten recently:

    Firefox:
    213.155.17.40/pop/
    teanja.com/

    Internet Explorer:
    d3.zedo.com/jsc/d3/ff2.html?n=790;s=2819;c=3386;d=16;w=1024;h=768
    cheapstuff.com/a.php?search=basic+cable&ai=5983
    about:blank
    213.155.17.40/pop/sixpoints.htm
    esults.googlesyndication.com/


    Here is the log you requested:

    ComboFix 11-02-11.01 - John 02/11/2011 21:55:55.5.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1075 [GMT -5:00]
    Running from: c:\users\John\Download\ComboFix.exe
    Command switches used :: c:\users\John\Desktop\CFScript.txt
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    FILE ::
    "c:\windows\system32\E411.tmp"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MEMSWEEP2
    -------\Service_MEMSWEEP2
    -------\Service_WPFFontCache_v0400


    ((((((((((((((((((((((((( Files Created from 2011-01-12 to 2011-02-12 )))))))))))))))))))))))))))))))
    .

    2011-02-12 03:01 . 2011-02-12 03:04 -------- d-----w- c:\users\John\AppData\Local\temp
    2011-02-12 03:01 . 2011-02-12 03:01 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-02-12 03:01 . 2011-02-12 03:01 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
    2011-02-12 03:01 . 2011-02-12 03:01 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-11 02:17 . 2011-02-11 02:17 -------- d-----w- c:\users\John\AppData\Roaming\AVG10
    2011-02-11 02:07 . 2011-02-12 02:50 -------- d-----w- c:\programdata\AVG10
    2011-02-11 01:56 . 2011-02-11 02:06 -------- d-----w- c:\programdata\MFAData
    2011-02-10 23:06 . 2011-02-10 23:06 -------- d-----w- c:\programdata\WindowsSearch
    2011-02-10 20:33 . 2011-02-10 20:33 -------- d-----w- c:\program files\ESET
    2011-02-10 09:30 . 2011-02-10 09:30 -------- d-----w- c:\programdata\SITEguard
    2011-02-10 09:29 . 2011-02-10 09:54 -------- d-----w- c:\programdata\STOPzilla!
    2011-02-10 09:29 . 2011-02-10 09:29 -------- d-----w- c:\program files\Common Files\iS3
    2011-02-05 17:41 . 2011-02-05 17:41 -------- d-----w- c:\program files\Common Files\Java
    2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-02-05 16:11 . 2011-02-05 16:11 -------- d-----w- c:\program files\Winamp Detect
    2011-01-29 13:54 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-29 13:54 . 2011-01-29 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-29 13:54 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-18 10:27 . 2011-01-31 22:49 -------- d-----w- c:\users\Public\Download
    2011-01-18 09:52 . 2011-01-18 10:11 -------- d-----w- c:\program files\DS Clock
    2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\users\John\AppData\Roaming\Duality Software
    2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\programdata\Duality Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 22:50 . 2008-09-19 23:30 52792 ----a-w- c:\windows\system32\drivers\volmgr.sys
    2011-01-31 10:16 . 2008-09-19 23:30 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
    2011-01-22 02:46 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-01-22 02:46 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-12-28 15:55 . 2011-01-12 10:02 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-14 14:49 . 2011-01-12 10:02 1169408 ----a-w- c:\windows\system32\sdclt.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoStrCmpLogical"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
    @=""

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
    backup=c:\windows\pss\GammaTray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
    backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
    backup=c:\windows\pss\NCProTray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
    backup=c:\windows\pss\Office Startup.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
    path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
    backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
    2006-11-18 15:01 182744 ----a-w- c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2006-12-12 15:03 106496 ----a-w- c:\windows\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2006-09-29 20:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2006-12-12 15:02 98304 ----a-w- c:\windows\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
    2008-12-19 03:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
    2006-09-26 18:56 423424 ----a-w- c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2006-12-12 15:02 81920 ----a-w- c:\windows\System32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-11-02 14:38 303104 ----a-w- c:\windows\sttray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
    "EnableNotificationsRef"=dword:00000003

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
    "EnableNotificationsRef"=dword:00000002

    S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
    S2 DSClockSyncTime;DS Clock Synchronization Service www.dualitysoft.com;c:\program files\DS Clock\dsetime.exe [2009-11-20 62264]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

    2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

    2011-02-12 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]

    2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{E57A22E8-06A3-46E2-A6A3-C443A62D321E}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com/
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb7b07e&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-11 22:03
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(2700)
    c:\program files\Logitech\SetPoint\lgscroll.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\AUDIODG.EXE
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Spybot - Search & Destroy\SDWinSec.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    c:\windows\system32\wbem\unsecapp.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-02-11 22:08:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-12 03:08

    Pre-Run: 187,219,955,712 bytes free
    Post-Run: 186,871,070,720 bytes free

    - - End Of File - - 0CEA9B1EED571279ADC3F039F921EA65
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Most of the Domains you gave are common ones that leave Tracking Cookies. By resetting the Cookies, most of them will be blocked, so please follow this:
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    I see you are already using AdBlockPlus. Good! If you didn't add EasyList, I highly recommend doing so:
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    ====================================
    However the IP 213.155.17.40 that you left, belongs to a site in the UA - Ukraine. This usually indicates that the Host files have been hijacked, but I'm not seeing this so far in the logs. And the 'sixpoints' popups with it usually comes up with 'Congratulations' and the site it's on is BAD. Can you tell me just how it is that you're seeing these things. Where do you see the IP? If you look on the bottom left corner of the browser, you will see an IP and all the other entries on a site that's loading as they load. However, unless you actually click to activate either the IP or the popups, it should get on the machine.
    =======================================
    About "Black Viper". : they don't come any better! Someday, I would like to meet him and thank him for all the help I got on his site, especially when starting Windows XP with the Services!
    ====================================
    EDIT: Please run the script I set up in the next reply first, then run HJT.
    ===================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    Folder::
    C:\TDSSKiller_Quarantine
    
    DDS::
    BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    
    Registry::
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
    [HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
    
    Driver::
    WPFFontCache_v0400
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
  10. sigsky

    sigsky Newcomer, in training Topic Starter

    Answers to questions - logs coming shortly

    I run CCleaner several times a day to get rid of cookies and remove other tracking info.

    I will make the changes you have recommended under reset cookies.

    The unwanted pages normally happen as follows:

    A new page is created briefly as can be seen on the taskbar

    It quickly changes to another address, often some search engine which produces the advertising pages I usually end up with which are what I have submitted to you. I haven't been quick enough to capture the address.

    None of these replace the page I am browsing, but are in the background. The final advertising page is the only thing that remains after a very short time. I will attempt to capture better results.

    To me it seems like the virus manifests itself under a number of very strange names, calls up one of several search strings which results in an advertising page. I can't imagine they are being paid advertising fees.

    Some sites never result in the virus being activated. Others ( notably imdb.com seem to trigger the virus immediately every time it is accessed). Usually after generating and ad, the virus will remain dormant until I change web sites, although I don't think this is always true. I will play with imdb.com later today and see if I can identify a better name.
  11. sigsky

    sigsky Newcomer, in training Topic Starter

    logs

    Here is the ComboFix log:

    ComboFix 11-02-12.02 - John 02/13/2011 14:27:04.6.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1037 [GMT -5:00]
    Running from: c:\users\John\Download\ComboFix.exe
    Command switches used :: c:\users\John\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\java\jre6\bin\jp2ssv.dll

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-13 to 2011-02-13 )))))))))))))))))))))))))))))))
    .

    2011-02-13 19:31 . 2011-02-13 19:31 -------- d-----w- c:\users\John\AppData\Local\temp
    2011-02-13 19:31 . 2011-02-13 19:31 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-02-13 19:31 . 2011-02-13 19:31 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
    2011-02-13 19:31 . 2011-02-13 19:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-13 19:15 . 2011-02-13 19:15 -------- d-----w- C:\HijackThis
    2011-02-12 13:16 . 2011-02-02 22:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C60513A9-BA36-474B-AA22-9150CE44E637}\mpengine.dll
    2011-02-12 03:49 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-12 03:49 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-12 03:49 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-12 03:49 . 2011-01-13 08:37 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-02-12 03:49 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-02-12 03:48 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
    2011-02-12 03:48 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-12 03:48 . 2011-02-12 03:48 -------- d-----w- c:\programdata\Alwil Software
    2011-02-12 03:48 . 2011-02-12 03:48 -------- d-----w- c:\program files\Alwil Software
    2011-02-11 02:17 . 2011-02-11 02:17 -------- d-----w- c:\users\John\AppData\Roaming\AVG10
    2011-02-11 02:07 . 2011-02-12 02:50 -------- d-----w- c:\programdata\AVG10
    2011-02-11 01:56 . 2011-02-11 02:06 -------- d-----w- c:\programdata\MFAData
    2011-02-10 23:06 . 2011-02-10 23:06 -------- d-----w- c:\programdata\WindowsSearch
    2011-02-10 20:33 . 2011-02-10 20:33 -------- d-----w- c:\program files\ESET
    2011-02-10 09:30 . 2011-02-10 09:30 -------- d-----w- c:\programdata\SITEguard
    2011-02-10 09:29 . 2011-02-10 09:54 -------- d-----w- c:\programdata\STOPzilla!
    2011-02-10 09:29 . 2011-02-10 09:29 -------- d-----w- c:\program files\Common Files\iS3
    2011-02-05 17:41 . 2011-02-05 17:41 -------- d-----w- c:\program files\Common Files\Java
    2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-02-05 16:11 . 2011-02-05 16:11 -------- d-----w- c:\program files\Winamp Detect
    2011-01-29 13:54 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-29 13:54 . 2011-01-29 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-29 13:54 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-18 10:27 . 2011-01-31 22:49 -------- d-----w- c:\users\Public\Download
    2011-01-18 09:52 . 2011-01-18 10:11 -------- d-----w- c:\program files\DS Clock
    2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\users\John\AppData\Roaming\Duality Software
    2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\programdata\Duality Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 22:50 . 2008-09-19 23:30 52792 ----a-w- c:\windows\system32\drivers\volmgr.sys
    2011-02-02 22:11 . 2009-10-03 18:52 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-31 10:16 . 2008-09-19 23:30 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
    2011-01-22 02:46 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-01-22 02:46 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-12-28 15:55 . 2011-01-12 10:02 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-14 14:49 . 2011-01-12 10:02 1169408 ----a-w- c:\windows\system32\sdclt.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoStrCmpLogical"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe\0aswBoot.exe /A:* /L:1033 /heur:80 /pup /archives /IA:0 /KBD:2 /dir:C:\Program

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
    @=""

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
    backup=c:\windows\pss\GammaTray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
    backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
    backup=c:\windows\pss\NCProTray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
    backup=c:\windows\pss\Office Startup.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
    path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
    backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
    2006-11-18 15:01 182744 ----a-w- c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2006-12-12 15:03 106496 ----a-w- c:\windows\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2006-09-29 20:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2006-12-12 15:02 98304 ----a-w- c:\windows\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
    2008-12-19 03:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
    2006-09-26 18:56 423424 ----a-w- c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2006-12-12 15:02 81920 ----a-w- c:\windows\System32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-11-02 14:38 303104 ----a-w- c:\windows\sttray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
    "EnableNotificationsRef"=dword:00000003

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
    "EnableNotificationsRef"=dword:00000002

    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
    S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
    S2 DSClockSyncTime;DS Clock Synchronization Service www.dualitysoft.com;c:\program files\DS Clock\dsetime.exe [2009-11-20 62264]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

    2011-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

    2011-02-13 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]

    2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{E57A22E8-06A3-46E2-A6A3-C443A62D321E}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com/
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb7b07e&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-13 14:31
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-02-13 14:33:38
    ComboFix-quarantined-files.txt 2011-02-13 19:33
    ComboFix2.txt 2011-02-12 03:08

    Pre-Run: 227,541,659,648 bytes free
    Post-Run: 227,509,452,800 bytes free

    - - End Of File - - 9422B1A9F318A0A12B60F3A594D418B4

    Here is the HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:35:35 PM, on 2/13/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.19019)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Windows\explorer.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\Explorer.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444543540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    O23 - Service: DS Clock Synchronization Service www.dualitysoft.com (DSClockSyncTime) - Duality Software - C:\Program Files\DS Clock\dsetime.exe
    O23 - Service: Google Update Service (gupdate1c99825db5dda72) (gupdate1c99825db5dda72) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
    O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
    O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)
    O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 5165 bytes
     
  12. sigsky

    sigsky Newcomer, in training Topic Starter

    A bit of Additional Info

    When the virus is triggered, I get a tab at the bottom of the screen like you do when you open a page but it is labeled either Internet Explore or Mozilla Firefox but cannot be opened by clicking on it until it changes to a domain name including some variation of a domain including "google", i gave you one of those. Will try to get more. It can be opened at that point but quickly it changes to the advertising page or sometimes results in page not found or a link to be forwarded (which I ain't ever clicking on). Unless you are paying attention you don't really notice anything except this new page in the background with the advertising. This final page is readily closed. and normally nothing else appears until I change sites. Hope this helps. I don't know how to capture that first bugger yet.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    That helps, thank you. It sounds like a pop-under. You don't want to do anything except a Right click> Properties. That might give you some information but won't activate it. I remember years ago when the "X-10" seemed to pop under everything! But as popup stoppers got better and browser security improved, the old X-10 was sent packing. Here's a comment on that from 11/1/2001:
    Theses usually aren't malicious- just annoying. Be sure to reset the Cookies as I instructed and add Easy List to Firefox. If you use the Google Toolbar, it's has a great popup stopper. If you don't be sure the feature is enabled in Firefox: Open FF> Tools> Options> Content> Check 'block popups.'
    ====================================
    The 4 accounts I see are:
    c:\users\John\AppData\Local\temp
    c:\users\Public\AppData\Local\temp
    c:\users\IUSR_NMPR\AppData\Local\temp
    c:\users\Default\AppData\Local\temp

    I looked further and found this in a Vista forum:
    Vista Accounts:
    Administrator ("Built-in account for administering the computer/domain")
    Guest ("Built-in account for guest access to the computer/domain")
    IUSR_NMPR>>> its a guest account or internet user account for IIS (internet information server) its a system account so you need remove IIS first
    Account with User name
    ============================
    Have you reset the Cookies, added Easy List to Firefox surfed for a while to see if any popunders still show? If any do, please use the right click> Properties> look for a domain name and we can block it. For instance, if you see this in the properties 'yahoo.com', that;s what I want
  14. sigsky

    sigsky Newcomer, in training Topic Starter

    results.google-analytics.com/ is one I captured yesterday before it sent me to an advertising page.
    results.googlesyndication.com/ is one I sent you earlier.

    plug either of these into a search engine and you will get countless folks having problems.

    These appear to be the sites that are popping up and sending me to the advertisements. It still happens in both Firefox and IE and I have made the changes you suggested including adding Easy List.

    What am I clicking on to check properties? Clicking on the tab at the bottom only brings up the normal menu (restore,Move,Size,Minimize,Maximize,Close). is it possible to block the domain names above? Would be better to remove what is producing them.

    I don't understand the account issues. In Windows explorer I see only:
    C:\users\John
    C:\users\Public
    the latter being where I store data that I want to be able to access with other computers on my network (just my laptop).

    In control panel I show only an Administrators account and a Guest Account which is turned off.

    I will try to identify more bad domain names if i can find them.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    From TechSpot blog, Julio, 2008:
    From Google:
    Google Analytics Opt-out Browser Add-on (BETA)
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    BTW, I amended both AV programs to leave out choices and take user directly to download page for free version.:

    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    I try to put the software manufacturer's sit in the links, but sometimes they add link which confuses the user.

    You don't need to give me any more domains. Please reset the Cookies as I have instructed. These pop unders aren't manifestations of a virus- usually- but rather another way to sneak an advertisement onto the users system. Let me check your security- If did this already, forgive me:

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  17. sigsky

    sigsky Newcomer, in training Topic Starter

    Actually I had unknowingly already downloaded Avast from the site you mentioned. It happened so fast I didn't realize it. That is why it wouldn't allow me to download it again. Sorry for the confusion.

    I've been reading about this situation of mine over the last couple of days and find plenty of cries for help but no solutions. And apparently no anti-virus program will identify this as a virus. I went ahead and plugged one of the offending URLs into my browser and sure enough the same thing happens, I get a blank page for a few seconds and then am redirected to a "desperately" random advertising site.

    I think I agree that this does not qualify as a virus. But to me it certainly qualifies as malware if it attempts to send me to sites that trigger my antivirus protection. Maybe its not even on my machine in which case it seems everyone should be experiencing it. Maybe they are. Hopefully eventually this will run it's course as it seems to be gaining attention.

    I have made the changes you indicated regarding cookies. Maybe I will flush the ones that I have told CCleaner not to delete and reset them one by one. There aren't that many and there may be some that I no longer wish to retain.

    Here is the checkup log from my desktop:

    Results of screen317's Security Check version 0.99.8
    Windows Vista Service Pack 2 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG 2011
    ESET Online Scanner v3
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 23
    Adobe Flash Player 10.1.102.64
    Adobe Reader 9.4.2
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    AVG avgemc.exe
    ``````````End of Log````````````


    And here is one from my laptop which has the same affliction:

    Results of screen317's Security Check version 0.99.8
    Windows Vista Service Pack 2 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG 2011
    Norton 360
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    MVPS Hosts File
    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 23
    Adobe Flash Player 10.1.102.64
    Adobe Reader X (10.0.1)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    AVG avgemc.exe
    ``````````End of Log````````````

    As always, any advice is gratefully appreciated.

    John
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    What you are experiencing is an annoyance- And you didn't mention AVG's phishing alert until Reply #7.

    You have 3 software firewalls running> that's 2 too many! Remove 2 of them:
    Antivirus/Firewall Check:
    Windows Firewall Enabled!
    AVG 2011
    Norton 360

    Multiple firewalls or antivirus programs actually make a system more vulnerable.

    You still have Norton on the system. Please run this:
    Norton Removal Tool

    That's because it isn't a virus. A 'virus' doesn't trigger the pop under> closing the browser allows it so show from nesting between the borwser and the active Window.
    ====================================
    What it's all about: What is a pop under?
    A variation on the pop-up window is the pop-under advertisement, which opens a new browser window hidden under the active window. Pop-unders do not interrupt the user immediately and are not seen until the covering window is closed, making it more difficult to determine which web site opened them.

    The script for it is on the page you have open, but it won't pop up until you try to close the page because it's actually in-between your browser and the site page. This is an example of interstitials are web page advertisements that are displayed before or after an expected content page, often to display advertisements or confirm the user's age.
    They are not all bad.
    ===================================
    Install the following addons to Firefox:
    NoScript: [​IMG]

    AdBlock Plus [​IMG]
    ======================================
    Run TFC again after you get the 2 add ons installed.
    It will reboot at the end..Empty the Recycle Bin
    Let me know if this helps the situation.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.