TechSpot

Redirect issue

By XCFW
Jan 29, 2011
  1. All 3 of my home PCs are having redirect problems. 2 are running XP pro and the other Windows 7. I will start here with one of the XP machines. Thanks.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5635

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    1/29/2011 12:09:13 PM
    mbam-log-2011-01-29 (12-09-13).txt

    Scan type: Quick scan
    Objects scanned: 129360
    Time elapsed: 3 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ******************

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-29 12:23:57
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3400633A rev.3.AAH
    Running: 7o7p5q3k.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\axgyraoc.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF743E0E0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF743E0F4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF743E120]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF743E176]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF743E0CC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF743E0A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF743E0B8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF743E10A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF743E14C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF743E136]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF743E1A0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF743E18C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF743E160]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----

    **********************

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Paul at 13:44:41.39 on Sat 01/29/2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.918 [GMT -7:00]

    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\acs.exe
    svchost.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Paul\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101107190016.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    mRun: [AlcxMonitor] ALCXMNTR.EXE
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [jswtrayutil] "c:\program files\netgear\wna1100\jswtrayutil.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna1100\WNA1100.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file://c:\program files\autocad lt 97\AcDcToday.ocx
    DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\autocad lt 97\AcPreview.ocx
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\l2gfcgyw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-19 386840]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-19 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-11 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-19 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-19 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-19 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-19 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-19 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-19 141792]
    R2 WSWNA1100;WSWNA1100;c:\program files\netgear\wna1100\WifiSvc.exe [2011-1-22 278528]
    R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2011-1-22 1710944]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-19 55840]
    R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2011-1-22 57440]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-19 152960]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-19 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-19 88544]
    S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\netgear\wna1100\jswpsapi.exe [2011-1-22 360529]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-19 52104]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-19 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-19 84264]

    =============== Created Last 30 ================

    2011-01-29 19:14:55 -------- d-----w- C:\Logs 1-29-11
    2011-01-29 15:15:23 388608 ----a-w- c:\temp\HijackThis.exe
    2011-01-23 03:54:43 -------- d-----w- c:\docume~1\paul\applic~1\Malwarebytes
    2011-01-23 03:54:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-23 03:54:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-23 03:54:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-23 03:54:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-23 03:52:44 7734208 ----a-w- c:\temp\mbam-setup-1.50.1.1100.exe
    2011-01-23 01:04:17 -------- d-----w- C:\Garmin
    2011-01-23 00:37:45 -------- d--h--r- c:\docume~1\alluse~1\applic~1\Atheros
    2011-01-22 22:52:20 -------- d-----w- c:\program files\D-Link

    ==================== Find3M ====================

    2010-12-28 17:35:35 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-12-28 17:35:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec

    ============= FINISH: 13:45:23.01 ===============

    **********************

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 5/22/2009 8:13:10 AM
    System Uptime: 1/29/2011 1:23:50 PM (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | 'P4SD-LA'
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPU 1 | 3000/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 373 GiB total, 342.437 GiB free.
    D: is Removable
    E: is Removable
    F: is Removable
    G: is Removable
    H: is CDROM (UDF)
    I: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP132: 10/31/2010 6:56:49 PM - System Checkpoint
    RP133: 11/3/2010 6:55:14 PM - System Checkpoint
    RP134: 11/4/2010 7:59:00 PM - System Checkpoint
    RP135: 11/7/2010 7:03:05 PM - System Checkpoint
    RP136: 11/14/2010 9:57:22 AM - System Checkpoint
    RP137: 11/20/2010 8:27:47 AM - Software Distribution Service 3.0
    RP138: 11/21/2010 3:44:46 PM - System Checkpoint
    RP139: 12/2/2010 8:56:01 PM - System Checkpoint
    RP140: 12/5/2010 4:36:59 PM - System Checkpoint
    RP141: 12/14/2010 6:27:55 PM - System Checkpoint
    RP142: 12/14/2010 8:48:23 PM - Software Distribution Service 3.0
    RP143: 12/26/2010 1:53:34 PM - System Checkpoint
    RP144: 12/27/2010 2:30:14 PM - System Checkpoint
    RP145: 12/28/2010 3:23:07 PM - System Checkpoint
    RP146: 12/29/2010 3:58:56 PM - System Checkpoint
    RP147: 12/30/2010 4:11:48 PM - System Checkpoint
    RP148: 12/31/2010 5:04:21 PM - System Checkpoint
    RP149: 1/1/2011 10:36:10 AM - Software Distribution Service 3.0
    RP150: 1/2/2011 7:19:01 PM - System Checkpoint
    RP151: 1/6/2011 6:44:32 PM - System Checkpoint
    RP152: 1/6/2011 11:02:09 PM - Software Distribution Service 3.0
    RP153: 1/16/2011 7:41:06 PM - System Checkpoint
    RP154: 1/16/2011 9:05:13 PM - Software Distribution Service 3.0
    RP155: 1/22/2011 3:50:58 PM - Installed AirPlus G
    RP156: 1/22/2011 5:30:14 PM - Configured AirPlus G
    RP157: 1/22/2011 5:35:06 PM - Installed NETGEAR WNA1100 wireless USB 2.0 adapter
    RP158: 1/22/2011 6:04:33 PM - Installed Garmin TOPO U.S. 2008
    RP159: 1/23/2011 6:44:00 PM - System Checkpoint
    RP160: 1/24/2011 8:00:36 PM - System Checkpoint
    RP161: 1/27/2011 10:16:35 PM - System Checkpoint
    RP162: 1/29/2011 9:10:47 AM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Photoshop Elements 2.0
    Adobe Reader 9.4.1
    AnswerWorks Runtime
    AutoCAD LT 2000i
    Garmin TOPO U.S. 2008
    HijackThis 1.99.1
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Malwarebytes' Anti-Malware
    McAfee Internet Security
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office XP Standard
    Microsoft Visual C++ 2005 Redistributable
    Microsoft WSE 3.0 Runtime
    Mozilla Firefox (3.6.13)
    NETGEAR WNA1100 wireless USB 2.0 adapter
    Quicken 2007
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2416400)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    The Sims™ 3
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows XP Service Pack 3

    ==== Event Viewer Messages From Past Week ========

    1/29/2011 12:01:12 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    1/29/2011 12:01:12 PM, error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/29/2011 12:01:12 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/29/2011 12:01:12 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/29/2011 12:01:12 PM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/29/2011 12:01:12 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/29/2011 12:01:12 PM, error: Service Control Manager [7031] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/29/2011 12:01:11 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    1/29/2011 12:01:11 PM, error: Service Control Manager [7034] - The Atheros Configuration Service service terminated unexpectedly. It has done this 1 time(s).
    1/29/2011 12:01:11 PM, error: Service Control Manager [7031] - The WSWNA1100 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2011 1:20:45 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    1/29/2011 1:19:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/29/2011 1:19:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    1/29/2011 1:19:21 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
    1/22/2011 5:45:42 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
    1/22/2011 5:45:42 PM, error: SideBySide [59] - Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
    1/22/2011 5:45:42 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
    1/22/2011 5:30:32 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file wlanapi.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the redirect issue- are the PCs networked through a router? I see Netgear and DLink. Although I don't see it here- it would usually shows up in Mbam, there is a malware infection named DNS Changer.

    Although I will need a separate thread for the logs of each of the 3 computers, if they are networked, give this a try:
    You will need to do a DNS Flush, then reset your router.
    First, one the system that has the router hard wired to it, do the following:

    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

    Check for the redirect on the computer that has the router hard wired to it. Do you still have the redirect?
    =========================================
    We'll go on from there, run additional scans on this PC, PC#1/XP. PC#2/XP will be the other Windows XP machine and PC#3/7 will be the Win 7 machine.

    Looking at the Error Events, it appears that you may not have the McAfee program set up right-Services and Dependencies look like theyre not in sync.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Note: you can uninstall the v1.9.9 version of HijackThis. It is out of date. I will have you run it later and will give link for current version. Also, I noticed you put this version in a temp file:
    2011-01-29 15:15:23 388608 ----a-w- c:\temp\HijackThis.exe
    When I have you download and run it, I will have you put it in it's own directory. HijackThis makes backups and having them in a temp file isn't good.

    I also noticed you put Mbam in a temp file: You download and save to your desktop. There, you Double-click mbam-setup.exe and follow the prompts to install the program. So I shouldn't be seeing this:
    2011-01-23 03:52:44 7734208 ----a-w- c:\temp\mbam-setup-1.50.1.1100.exe
     
  4. XCFW

    XCFW TS Rookie Topic Starter

    Bobbye,

    Thank you for the help. I will copy your question/comment with double parenthesis and will follow with a response.

    ((you can uninstall the v1.9.9 version of HijackThis. ))

    Done


    ((I also noticed you put Mbam in a temp file: You download and save to your desktop. There, you Double-click mbam-setup.exe and follow the prompts to install the program.))

    I uninstalled Mbam and downloaded it to my desktop. I ran the quick scan and have posted the log file at the end of the reply.


    ((are the PCs networked through a router? I see Netgear and DLink. Although I don't see it here- it would usually shows up in Mbam, there is a malware infection named DNS Changer.

    Although I will need a separate thread for the logs of each of the 3 computers, if they are networked, give this a try:
    You will need to do a DNS Flush, then reset your router.))


    ((Check for the redirect on the computer that has the router hard wired to it. Do you still have the redirect?))

    The the 3 PC's access the internet through the router which is connected directly to the cable modem. All 3 PC's connect to the router wirelessly. The PC's are not networked in terms of sharing files. Do you want me to proceed with the DNS flush and router reset?


    ((Looking at the Error Events, it appears that you may not have the McAfee program set up right-Services and Dependencies look like theyre not in sync.))

    I don't understand this comment.

    Can we troubleshoot one computer at a time?



    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5636

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    1/29/2011 6:03:49 PM
    mbam-log-2011-01-29 (18-03-49).txt

    Scan type: Quick scan
    Objects scanned: 129999
    Time elapsed: 3 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, go ahead with the DNS flush and router reset. Since they all connect through the router and all three are being redirected, it's a place to start. Did you by chance use a flash drive to copy files from one computer to the other?
    =======================
    Then you'll set up the 3 threads and put logs for each on their own thread. Nothing is showing up in Mbam. Please be sure to follow the program directions. When it says 'download and save to the desktop, then double click on the setup to run, that's what you do.
    BTW, you don't need to copy my instructions> too much work! Just don't say 'it', so I'll know what is being referred to.
    ==================================
    Look at the end of the DDS Attach.txt log> Event Viewer Messages From Past Week
    Do you see the McAfee entries for 1/29? Examples:
    3. The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    2. The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
    1. The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

    Click on Start> Run> type in services.msc> enter> Double click on each of the Services I underlined above> Check the Dependency tab for each> Make sure the any Service that this Service depends on to run is at least set to Manual or Automatic Startup.
    ==========================================
    So this is PC #1/XP: Please run the following 2 scans:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ==============================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  6. XCFW

    XCFW TS Rookie Topic Starter

    Bobbye,

    I did the DNS flush and the router reset. 2 of the computers have been working fine with no redirects for the last two days. I am having some trouble with the wireless zero configuration on the other computer so I have not been able to test that one.

    My family does have a few flash drives and once in a while they do get used among the different computers.

    Should I just monitor the computers and stop trouble shooting for now?

    Thanks
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A couple of issues here- if the flush and reset worked, we will need to find the malware that caused the DNS problem. When you told me that "All 3 of my home PCs are having redirect problems" it was a reasonable assumption that the DSN and router settings had been changed. But what I had you do did not remove malware.

    Since the computers aren't networked, it is either a coincidence that all 3 got infected with the same malware separately- although I'm not big on the 'coincidence' thing, it is possible that if all 3 users went to same site with script or opened the same infected email or attachment and got infected, it could happen. But it is more likely that one (or more) of the flash drives is infected and spread the malware when used on the different systems.

    We can disinfect flash drives. But I need to have a better idea of what the malware is, so please go ahead and run the Eset scan and Combofix on PC#1.

    Also, you should be aware of this Error from the Event Viewer:
    1/29/2011 1:19:21 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

    Did you run the chkdsk for this? If not, do this please:
    Click on My Computer> Right click on the Local Drive (C)> Properties> Tools> Click on the Error Check button> Check both boxes on the screen that comes up> OK> Apply> OK> close the message and reboot the computer and let the chkdsk begin. Let it run until complete. It will automatically reboot when finished.

    If this is done as a part of your routine maintenance, it will take less time than if not done at all. But it will take time and must finish.

    NOTE: Don't be tempted to download all the scan on to a flash drive and pass it around to the 3 PCs!
     
  8. XCFW

    XCFW TS Rookie Topic Starter

    Bobbye,

    chkdsk utility Run

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=256d2077b00b784f8753d43e4d0e896e
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-02-05 09:54:01
    # local_time=2011-02-05 02:54:01 (-0700, US Mountain Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16777189 100 75 3644789 26085085 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=40612
    # found=0
    # cleaned=0
    # scan_time=1076


    ComboFix 11-02-05.01 - Paul 02/05/2011 15:31:10.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.821 [GMT -7:00]
    Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-05 to 2011-02-05 )))))))))))))))))))))))))))))))
    .

    2011-02-05 21:28 . 2011-02-05 21:28 -------- d-----w- c:\program files\ESET
    2011-02-01 01:43 . 2011-02-01 01:43 -------- d-----w- c:\documents and settings\Paul\Application Data\VirtualStore
    2011-01-30 14:18 . 2011-01-30 14:18 -------- d-----w- c:\windows\Sun
    2011-01-30 00:59 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-30 00:59 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-29 21:11 . 2011-01-29 21:11 -------- d-----w- c:\program files\Common Files\Java
    2011-01-29 21:11 . 2011-01-29 21:10 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-29 21:11 . 2011-01-29 21:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-29 21:11 . 2011-01-29 21:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-29 21:10 . 2011-01-29 21:10 -------- d-----w- c:\program files\Java
    2011-01-29 21:09 . 2011-01-29 21:09 883488 ----a-w- c:\temp\jxpiinstall.exe
    2011-01-29 19:14 . 2011-01-30 01:05 -------- d-----w- C:\Logs 1-29-11
    2011-01-29 15:15 . 2011-01-29 15:15 388608 ----a-w- c:\temp\HijackThis.exe
    2011-01-23 03:54 . 2011-01-23 03:54 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes
    2011-01-23 03:54 . 2011-01-23 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-23 03:54 . 2011-01-30 00:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-23 01:04 . 2011-01-23 01:13 -------- d-----w- C:\Garmin
    2011-01-23 00:37 . 2011-01-23 00:37 -------- d--h--r- c:\documents and settings\All Users\Application Data\Atheros
    2011-01-23 00:34 . 2011-01-23 00:34 -------- d-----w- c:\documents and settings\Paul\Application Data\InstallShield
    2011-01-22 22:52 . 2011-01-22 22:52 -------- d-----w- c:\program files\D-Link
    2011-01-22 22:50 . 2011-01-23 00:30 -------- d-----w- c:\program files\Common Files\InstallShield

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-28 17:35 . 2010-09-27 03:45 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-12-28 17:35 . 2010-09-27 03:45 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-11-18 18:12 . 2009-05-22 15:08 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-10-14 05:28 . 2010-04-20 03:21 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-28 274608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-12 113664]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    NETGEAR WNA1100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2011-1-22 4562944]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/19/2010 8:21 PM 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/11/2009 3:45 PM 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/19/2010 8:21 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/19/2010 8:21 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/19/2010 8:21 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/19/2010 8:21 PM 141792]
    R2 WSWNA1100;WSWNA1100;c:\program files\NETGEAR\WNA1100\WifiSvc.exe [1/22/2011 5:35 PM 278528]
    R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [1/22/2011 5:35 PM 1710944]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/19/2010 8:21 PM 55840]
    R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [1/22/2011 5:35 PM 57440]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/19/2010 8:21 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/19/2010 8:21 PM 88544]
    S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\NETGEAR\WNA1100\jswpsapi.exe [1/22/2011 5:35 PM 360529]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/19/2010 8:21 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/19/2010 8:21 PM 84264]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-583907252-682003330-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]

    2011-02-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-583907252-682003330-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\l2gfcgyw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
    HKLM-Run-jswtrayutil - c:\program files\NETGEAR\WNA1100\jswtrayutil.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-05 15:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(13228)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    .
    Completion time: 2011-02-05 15:36:52
    ComboFix-quarantined-files.txt 2011-02-05 22:36

    Pre-Run: 367,294,947,328 bytes free
    Post-Run: 367,277,879,296 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 978581633F4F62E105F32A1CD5AE99EA

    Thanks
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please tell me what problem you're having with. this. Specify if you are referring to the WZCSVC which runs are svchost.exe or the process running as 1xconfig.exe in the TaskManager. I spent weeks chasing down a problem with WZCSVC starting on my laptop and disconnecting me from the internet. I'll spare you what went on in between, but I may have a fix for you. I also have 3 computers connecting through a wireless router hardwired to the desktop which I rarely use. But laptop kept dropping internet connection.
     
  10. XCFW

    XCFW TS Rookie Topic Starter

    The machine which is not connecting to the wireless network is a XP machine. If I look at the status for the connection it says " Windows cannot configure the wireless connection. If you want windows to configure this wireless connection, start the wireless zero configuration (WZC) service.

    In order to start WZC I go the the services window by running %SystemRoot%\system32\services.msc /s. I then go to wireless zero configuration. I check to see that the startup type is set to automatic and I start the service.

    I then go to view the properties for the wireless connection and I see only the general and advanced tab. The wireless networks tab does not show up. On this machine, the XP machine which is connected, the wirless networks tab shows up and that is where I have checked the box next to "Use Windows to configure my wireless network settings"

    I then go back to the services window and see that the WZC service has turned off. The service only stays on for a few minutes.

    The adapter is a D-Link. When I try to run the D-link connection manager it appears that the application is executing but the window never appears. When I look at the processes list I do see that wirelesscm.exe is started by the D-link connection manager icon.

    Thanks
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try choosing the InterProWireless to connect instead of Windows. Stop the WZCSRV Service.

    Right click on Control Panel> Network Connections> Wireless Connection> there is no 'wireless tab' becuase you're already in the wireless properties.I only have General and Advanced alsp
     
  12. XCFW

    XCFW TS Rookie Topic Starter

    Where do i find the details for InterProWireless? Is this a service like WZCSRV? I did a quick search and I only came up with Intel Pro Wireless.

    Following your steps I also only have the two tabs. The window is labeled "wireless network connection STATUS"

    I get the three tabs if I do the following which brings up the "wireless network connection PROPERTIES" window
    Control Panel> Network Connections>Right click wireless connection>properties
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Control Panel> Network Connections> right click on the Wireless Connection> Properties> General tab> 'Connect using' box s/b/ set to IntelProWireless.

    Intel Pro Wireless is correct. You found the right thing! And I had an extra right click in. I have been having a really tough time with my dyslexia- lots of stress and fatigue. Please accept my apology for careless mistakes- I just don't see them.

    I offered that as a suggestion, hoping it might help you also. That is how my wireless connection is set. Somehow, on my laptop, a service tech set the WZCSRV Service to Automatic. I would connect, then go right down. It took me weeks to find that. I have disabled it many times but it goes back to automatic and when it starts, my connection is broken. I have to go into the Services and Stop it.

    It may not be applicable to you, but I thought I'd suggest it since I had experienced a problem with the same service.
     
  14. XCFW

    XCFW TS Rookie Topic Starter

    Bobbye,

    Both XP machines only have one option here, one being the Netgear wireless adapter and the other the D-link adapter. You must need to have a IntelProWireless adapter installed in order to have this option. I may just replace the problem computer or I start over by reformatting the hard drive. It is an old P4 machine and is the one the kids use the most.


    Have you had a chance to look at the Eset scan and Combofix logs?

    Thanks
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Got sidetracked on the Service! The Eset log is clean and there are only 2 entries to remove form Combofix.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Are you still getting redirects on this machine? Please run the following as one last check for bad entries:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    What worked for me with WZCSRV, might not be appropriate for your machine. I just thought it was worth mentioning since it took me a while to find the problem and know what to do about it.
     
  16. XCFW

    XCFW TS Rookie Topic Starter

    Bobbye,

    Here are the logs you requested. The browser has not redirected since you had me do the DNS flush and router reset.

    ComboFix 11-02-09.03 - Paul 02/09/2011 21:24:36.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.941 [GMT -7:00]
    Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Paul\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))
    .

    2011-02-05 21:28 . 2011-02-05 21:28 -------- d-----w- c:\program files\ESET
    2011-02-01 01:43 . 2011-02-01 01:43 -------- d-----w- c:\documents and settings\Paul\Application Data\VirtualStore
    2011-01-30 14:18 . 2011-01-30 14:18 -------- d-----w- c:\windows\Sun
    2011-01-30 00:59 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-30 00:59 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-29 21:11 . 2011-01-29 21:11 -------- d-----w- c:\program files\Common Files\Java
    2011-01-29 21:11 . 2011-01-29 21:10 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-01-29 21:11 . 2011-01-29 21:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-01-29 21:11 . 2011-01-29 21:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-29 21:10 . 2011-01-29 21:10 -------- d-----w- c:\program files\Java
    2011-01-29 21:09 . 2011-01-29 21:09 883488 ----a-w- c:\temp\jxpiinstall.exe
    2011-01-29 19:14 . 2011-02-05 22:44 -------- d-----w- C:\Logs 1-29-11
    2011-01-29 15:15 . 2011-01-29 15:15 388608 ----a-w- c:\temp\HijackThis.exe
    2011-01-23 03:54 . 2011-01-23 03:54 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes
    2011-01-23 03:54 . 2011-01-23 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-23 03:54 . 2011-01-30 00:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-23 01:04 . 2011-01-23 01:13 -------- d-----w- C:\Garmin
    2011-01-23 00:37 . 2011-01-23 00:37 -------- d--h--r- c:\documents and settings\All Users\Application Data\Atheros
    2011-01-23 00:34 . 2011-01-23 00:34 -------- d-----w- c:\documents and settings\Paul\Application Data\InstallShield
    2011-01-22 22:52 . 2011-01-22 22:52 -------- d-----w- c:\program files\D-Link
    2011-01-22 22:50 . 2011-01-23 00:30 -------- d-----w- c:\program files\Common Files\InstallShield
    2011-01-21 14:44 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 17:35 . 2010-09-27 03:45 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2010-12-28 17:35 . 2010-09-27 03:45 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 22:15 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 22:15 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-12-20 22:15 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 15:30 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2004-08-04 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-11-18 18:12 . 2009-05-22 15:08 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-10-14 05:28 . 2010-04-20 03:21 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-02-05_22.35.08 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-10 04:07 . 2011-02-10 04:07 16384 c:\windows\Temp\Perflib_Perfdata_558.dat
    + 2009-05-22 15:34 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
    - 2009-05-22 15:34 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
    + 2009-02-20 08:10 . 2010-12-20 22:15 81920 c:\windows\system32\dllcache\ieencode.dll
    - 2009-02-20 08:10 . 2010-11-05 05:05 81920 c:\windows\system32\dllcache\ieencode.dll
    - 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
    + 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
    + 2011-02-06 00:09 . 2011-02-10 02:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-05-22 15:14 . 2011-02-10 02:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2009-05-22 15:14 . 2011-02-05 19:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2011-02-06 00:09 . 2011-02-10 02:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2009-05-22 15:14 . 2011-02-05 19:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2004-08-04 12:00 . 2010-11-05 05:05 629760 c:\windows\system32\urlmon.dll
    + 2004-08-04 12:00 . 2010-12-20 22:15 629760 c:\windows\system32\urlmon.dll
    - 2004-08-04 12:00 . 2010-11-05 05:05 532480 c:\windows\system32\mstime.dll
    + 2004-08-04 12:00 . 2010-12-20 22:15 532480 c:\windows\system32\mstime.dll
    + 2004-08-04 12:00 . 2010-12-20 22:15 449024 c:\windows\system32\mshtmled.dll
    - 2004-08-04 12:00 . 2010-11-05 05:05 449024 c:\windows\system32\mshtmled.dll
    + 2004-08-04 12:00 . 2010-12-20 22:15 251904 c:\windows\system32\iepeers.dll
    - 2004-08-04 12:00 . 2010-11-05 05:05 251904 c:\windows\system32\iepeers.dll
    - 2009-05-21 17:25 . 2010-12-20 04:16 198552 c:\windows\system32\FNTCACHE.DAT
    + 2009-05-21 17:25 . 2011-02-10 04:07 198552 c:\windows\system32\FNTCACHE.DAT
    - 2009-02-20 08:10 . 2010-11-05 05:05 667136 c:\windows\system32\dllcache\wininet.dll
    + 2009-02-20 08:10 . 2010-12-20 22:15 667136 c:\windows\system32\dllcache\wininet.dll
    + 2009-02-20 08:10 . 2010-12-20 22:15 629760 c:\windows\system32\dllcache\urlmon.dll
    - 2009-02-20 08:10 . 2010-11-05 05:05 629760 c:\windows\system32\dllcache\urlmon.dll
    + 2009-05-22 15:50 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
    - 2010-11-05 05:05 . 2010-11-05 05:05 532480 c:\windows\system32\dllcache\mstime.dll
    + 2010-11-05 05:05 . 2010-12-20 22:15 532480 c:\windows\system32\dllcache\mstime.dll
    + 2010-09-09 14:16 . 2010-12-20 22:15 449024 c:\windows\system32\dllcache\mshtmled.dll
    - 2010-09-09 14:16 . 2010-11-05 05:05 449024 c:\windows\system32\dllcache\mshtmled.dll
    + 2009-05-22 15:50 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
    - 2009-05-22 15:50 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
    + 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
    - 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
    - 2010-02-26 05:43 . 2010-11-05 05:05 251904 c:\windows\system32\dllcache\iepeers.dll
    + 2010-02-26 05:43 . 2010-12-20 22:15 251904 c:\windows\system32\dllcache\iepeers.dll
    + 2010-04-20 05:30 . 2011-01-07 14:09 290048 c:\windows\system32\dllcache\atmfd.dll
    - 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
    - 2004-08-04 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
    + 2004-08-04 12:00 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
    + 2004-08-04 12:00 . 2010-12-20 22:15 1510400 c:\windows\system32\shdocvw.dll
    - 2004-08-04 12:00 . 2010-11-05 05:05 1510400 c:\windows\system32\shdocvw.dll
    + 2004-08-04 12:00 . 2010-12-20 22:15 3078144 c:\windows\system32\mshtml.dll
    + 2009-02-09 11:13 . 2010-12-31 13:10 1854976 c:\windows\system32\dllcache\win32k.sys
    + 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
    - 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
    - 2009-03-02 23:04 . 2010-11-05 05:05 1510400 c:\windows\system32\dllcache\shdocvw.dll
    + 2009-03-02 23:04 . 2010-12-20 22:15 1510400 c:\windows\system32\dllcache\shdocvw.dll
    + 2009-05-22 15:50 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
    + 2009-05-22 15:50 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
    + 2009-02-08 02:02 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
    + 2009-05-22 15:50 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
    + 2009-02-20 08:11 . 2010-12-20 22:15 3078144 c:\windows\system32\dllcache\mshtml.dll
    + 2010-03-10 04:33 . 2010-12-20 22:15 1025024 c:\windows\system32\dllcache\browseui.dll
    - 2010-03-10 04:33 . 2010-11-05 05:05 1025024 c:\windows\system32\dllcache\browseui.dll
    + 2004-08-04 12:00 . 2010-12-20 22:15 1025024 c:\windows\system32\browseui.dll
    - 2004-08-04 12:00 . 2010-11-05 05:05 1025024 c:\windows\system32\browseui.dll
    + 2009-05-22 15:50 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
    + 2009-05-22 15:50 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
    + 2009-02-08 02:02 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
    + 2009-05-22 15:50 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-28 274608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-12 113664]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    NETGEAR WNA1100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2011-1-22 4562944]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/19/2010 8:21 PM 84072]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/11/2009 3:45 PM 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/19/2010 8:21 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/19/2010 8:21 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/19/2010 8:21 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/19/2010 8:21 PM 141792]
    R2 WSWNA1100;WSWNA1100;c:\program files\NETGEAR\WNA1100\WifiSvc.exe [1/22/2011 5:35 PM 278528]
    R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [1/22/2011 5:35 PM 1710944]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/19/2010 8:21 PM 55840]
    R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [1/22/2011 5:35 PM 57440]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/19/2010 8:21 PM 313288]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/19/2010 8:21 PM 88544]
    S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\NETGEAR\WNA1100\jswpsapi.exe [1/22/2011 5:35 PM 360529]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/19/2010 8:21 PM 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/19/2010 8:21 PM 84264]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-583907252-682003330-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]

    2011-02-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-583907252-682003330-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\l2gfcgyw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-09 21:28
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3952)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    .
    Completion time: 2011-02-09 21:30:36
    ComboFix-quarantined-files.txt 2011-02-10 04:30
    ComboFix2.txt 2011-02-05 22:36

    Pre-Run: 366,941,634,560 bytes free
    Post-Run: 366,923,726,848 bytes free

    - - End Of File - - 20DC54471E4546010A4A145A9DCF747B


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:37:13 PM, on 2/9/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101107190016.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 97\AcDcToday.ocx
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 97\AcPreview.ocx
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: WSWNA1100 - Unknown owner - C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe

    --
    End of file - 6974 bytes

    Thanks for all the help
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looking good! I don't see any signs of malware. I did note there are several auto-updates running> Java, Adobe< RealPlayer, for instance. You might consider taking these off of Startup. Do you really want multiple programs accessing the internet from your computer, several times a day, looking for update that might only come every few months?

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    Let me know if you have any more questions.
     
  18. XCFW

    XCFW TS Rookie Topic Starter

    Bobbye,

    Thank you very much for the help!

    XCFW
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome! Leaving some tips to help with security, then closing thread.
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]Replace the Host Files
      MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...