TechSpot

Search engine results redirect to unwanted sites when clicked on..

By hostile17
Nov 29, 2010
  1. ...to places like bwlyli.net and other search sites. Please help.

    Here are 8-step logs as requested:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5213

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/29/2010 2:30:54 AM
    mbam-log-2010-11-29 (02-30-54).txt

    Scan type: Quick scan
    Objects scanned: 135265
    Time elapsed: 6 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-11-29 02:46:53
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Steven\LOCALS~1\Temp\kxayypod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    ---- EOF - GMER 1.0.15 ----




    DDS (Ver_10-11-27.01) - NTFSx86
    Run by Steven at 2:48:14.46 on Mon 11/29/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.640 [GMT -8:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Documents and Settings\Steven\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290949892671
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    LSA: Notification Packages = scecli
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - plugin: c:\documents and settings\steven\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\steven\application data\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    FF - plugin: c:\documents and settings\steven\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com
    FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 16000
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.max.tokenizing.time - 3000000
    FF - user.js: content.maxtextrun - 4095
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 1000000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 1000000
    FF - user.js: dom.disable_window_status_change - true
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 1000
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

    ============= SERVICES / DRIVERS ===============

    R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-17 28552]
    R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-9-17 3968]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-13 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-13 74480]
    R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\b.tmp --> c:\windows\system32\B.tmp [?]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-13 7408]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-27 312152]

    =============== Created Last 30 ================

    2010-11-29 08:58:26 -------- d-----w- c:\windows\system32\NtmsData
    2010-11-29 08:56:41 -------- d-----w- c:\docume~1\steven\applic~1\Avira
    2010-11-28 13:02:12 -------- d-----w- c:\windows\system32\CatRoot2
    2010-11-28 12:52:47 -------- d-----w- c:\program files\ProcessExplorer
    2010-11-28 12:27:19 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-11-28 02:10:38 83968 --sha-r- c:\windows\system32\netstat4.dll
    2010-11-26 12:23:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-11-26 12:23:38 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-11-26 12:17:02 222080 ------w- c:\windows\system32\MpSigStub.exe

    ==================== Find3M ====================

    2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-18 02:36:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-18 02:36:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 2:49:03.06 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-27.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/13/2009 4:50:11 AM
    System Uptime: 11/29/2010 2:43:17 AM (0 hours ago)

    Motherboard: ASUSTek Computer INC. | | Amberine M
    Processor: AMD Sempron(tm) Processor 3400+ | Socket 939 | 1989/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 186 GiB total, 111.189 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 11/27/2010 7:16:31 PM - System Checkpoint
    RP2: 11/28/2010 12:32:06 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
    RP3: 11/28/2010 12:44:24 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
    RP4: 11/28/2010 4:27:15 AM - Software Distribution Service 3.0
    RP5: 11/28/2010 4:34:20 AM - Software Distribution Service 3.0
    RP6: 11/28/2010 4:36:40 AM - Software Distribution Service 3.0
    RP7: 11/28/2010 6:20:52 PM - Restore Operation
    RP8: 11/29/2010 2:40:23 AM - Revo Uninstaller's restore point - Avira AntiVir Personal - Free Antivirus
    RP9: 11/29/2010 2:41:43 AM - Revo Uninstaller's restore point - Avira AntiVir Personal - Free Antivirus

    ==== Installed Programs ======================

    Acez All Audio Converter v3.0
    Across Lite
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.0
    Adobe Shockwave Player 11.5
    Advanced SystemCare 3
    Apple Application Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Audacity 1.2.6
    AVG Anti-Rootkit Free
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon MP Navigator EX 1.1
    Canon MX850 series
    Canon MX850 series User Registration
    Canon My Printer
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities Solution Menu
    CCleaner
    Chinese (Simplified) Language Support
    Combined Community Codec Pack 2008-09-21 16:18
    Compatibility Pack for the 2007 Office system
    Crossword Compiler 8 Demo
    Data Fax SoftModem with SmartCP
    EasyCleaner
    EclipseCrossword
    Eraser 5.8.7
    Eusing Free Registry Cleaner
    Express Rip
    Facebook Plug-In
    Free Video Joiner 1.1
    GoToMeeting/GoToWebinar 3.0.0.198
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    IObit Security 360
    Java Auto Updater
    Java(TM) 6 Update 21
    JDownloader
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Word Viewer 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works 2000
    MixPad Audio Mixer
    Mozilla Firefox (3.6.4)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OpenOffice.org 3.1
    Presto! PageManager 7.15.20
    QuickTime
    Rand McNally Route Planner
    Realtek AC'97 Audio
    Recipe4win
    Recuva (remove only)
    Revo Uninstaller 1.90
    ScanSoft OmniPage SE 4
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB923789)
    Slice Audio File Splitter
    Smart Math Calculator 2.2
    Sophos Anti-Rootkit 1.5.4
    SpywareBlaster 4.4
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB978506)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB982632)
    VC 9.0 Runtime
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.1.4
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Management Framework Core
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    WinPatrol
    WinRAR archiver
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Messenger

    ==== Event Viewer Messages From Past Week ========

    11/29/2010 2:43:41 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0015F2A0150F has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    11/29/2010 12:48:18 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    11/29/2010 12:48:18 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Steven\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    11/29/2010 12:48:18 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    11/28/2010 5:07:55 AM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Steven.
    11/28/2010 5:07:49 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    11/26/2010 7:06:54 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the problem. But first order of business is antivirus program. I see 2 restore points were set for Avira. But I don't see it listed as installed nor are there any processes for it running. Please handle that first and get an AV program running. Be sure to reboot the computer after installing the AV.

    Please disable the following while I am working with you: they could affect the scans:
    1. AVG Anti Rootkit
    2. Eusing Free Registry Cleaner
    3. Sophos Anti-Rootkit 1.5.4

    I recommend you uninstall the following:
    The Eusing Free Registry Cleaner>.Most of us don't recommend using a registry cleaner.
    IObit Security 360: Neither the program nor the site for download is recommended. Better off the computer. I'll have you do a security search later and we'll see what's lacking. But AV need to be done now.
    =================================
    Important:For Notepad: when you open Notepad for a log, first click on Format> Uncheck 'Word Wrap'.

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ============================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ====================================
    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. hostile17

    hostile17 TS Rookie Topic Starter

    Thanks for response.

    I cannot Uncheck 'Word Wrap' because it is not checked in the first place.
    Though, for some reason, ALL of my text documents, both new and old, started appearing in
    italicized text a few days ago without any direct action from me. Is this a possible
    symptom of an infection? All I can do is click 'Font' and select 'Regular'.




    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ba10ddc74576dd488496cc56a33d4d6a
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=false
    # utc_time=2010-11-30 12:43:22
    # local_time=2010-11-29 04:43:22 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 5262449 5262449 0 0
    # compatibility_mode=1797 16775145 100 93 0 27489422 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=81598
    # found=0
    # cleaned=0
    # scan_time=2534







    ComboFix 10-11-29.03 - Steven 11/29/2010 16:56:44.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.556 [GMT -8:00]
    Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))
    .

    2010-11-29 23:40 . 2010-08-03 00:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-29 23:40 . 2010-08-03 00:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-29 23:40 . 2010-06-17 23:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-11-29 23:40 . 2010-11-29 23:40 -------- d-----w- c:\program files\Avira
    2010-11-29 23:40 . 2010-11-29 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-11-29 23:40 . 2010-06-17 23:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-11-29 10:58 . 2010-11-29 10:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-29 08:58 . 2010-11-29 10:13 -------- d-----w- c:\windows\system32\NtmsData
    2010-11-29 08:56 . 2010-11-29 08:56 -------- d-----w- c:\documents and settings\Steven\Application Data\Avira
    2010-11-28 13:02 . 2010-11-30 01:03 -------- d-----w- c:\windows\system32\CatRoot2
    2010-11-28 12:52 . 2010-11-28 12:52 -------- d-----w- c:\program files\ProcessExplorer
    2010-11-28 12:27 . 2010-11-28 12:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-11-28 02:10 . 2010-11-28 02:10 83968 --sha-r- c:\windows\system32\netstat4.dll
    2010-11-26 12:23 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-11-26 12:17 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-11-21 12:24 . 2010-11-21 12:24 -------- d-----w- c:\documents and settings\Steven\Application Data\vlc
    2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 10:58 . 2010-09-18 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-18 19:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-16 22:28 . 2010-09-16 22:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2009-11-08 00:00 . 2009-11-08 00:00 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2009-11-08 00:00 . 2009-11-08 00:00 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2009-11-08 00:00 . 2009-11-08 00:00 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoPopUpsOnBoot"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ATI Smart"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)
    "WMPNetworkSvc"=3 (0x3)
    "Lavasoft Ad-Aware Service"=2 (0x2)
    "VSSERV"=2 (0x2)
    "LIVESRV"=2 (0x2)
    "idsvc"=3 (0x3)
    "JavaQuickStarterService"=2 (0x2)
    "ose"=3 (0x3)
    "TMWebProtect"=2 (0x2)
    "TmProxy"=2 (0x2)
    "MatSvc"=3 (0x3)
    "IS360service"=2 (0x2)
    "sp_rssrv"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2010 10:49 AM 28552]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/13/2009 10:41 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2009 10:41 AM 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/29/2010 3:40 PM 135336]
    R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 4:00 AM 14336]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/13/2009 10:41 AM 7408]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - plugin: c:\documents and settings\Steven\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    FF - plugin: c:\documents and settings\Steven\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\NOS\bin\np_gp.dll
    FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\firefox@tvunetworks.com
    FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 16000
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.max.tokenizing.time - 3000000
    FF - user.js: content.maxtextrun - 4095
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 1000000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 1000000
    FF - user.js: dom.disable_window_status_change - true
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 1000
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-29 17:03
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\B.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(768)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(2016)
    c:\windows\system32\WININET.dll
    c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\rundll32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\NOTEPAD.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-11-29 17:08:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-30 01:08

    Pre-Run: 118,391,615,488 bytes free
    Post-Run: 118,272,585,728 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 5A3DD10E063274FCF388AEE1EE805A61



    Thanks agian.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScrip

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines./b]

    Code:
    File::
    c:\windows\system32\B.tmp
    c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    
    Driver::
    MEMSWEEP2
    Lavasoft Kernexplorer
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Uninstall Java v6u16 and v6u21. Update to v6u22> Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    The font change could be due to a corrupt file- right not, the system is looking pretty good. The Eset scan was clean.
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  5. hostile17

    hostile17 TS Rookie Topic Starter

    I unchecked 'AntiVir Guard enable' and combofix said Avira was still active. Using msconfig, I unchecked all Avira related boxes and restarted the computer. Combofix still detected Avira as running, so I uninstalled Avira altogether. I re-installed Avira after combofix did its business and before running hijackthis.

    Each time I open notepad, 'word wrap' is never checked, so I cannot uncheck it unless I first check it. Are these logs I am posting reflecting that, or something, and is it detrimental?


    ComboFix 10-12-01.01 - Steven 12/01/2010 23:44:03.6.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.656 [GMT -8:00]
    Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt

    FILE ::
    "c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys"
    "c:\windows\system32\B.tmp"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_LAVASOFT_KERNEXPLORER
    -------\Legacy_MEMSWEEP2
    -------\Service_Lavasoft Kernexplorer
    -------\Service_MEMSWEEP2


    ((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
    .

    2010-11-30 10:02 . 2010-11-30 10:02 -------- d-----w- c:\documents and settings\Steven\Local Settings\Application Data\Temp
    2010-11-29 10:58 . 2010-11-29 10:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-29 08:58 . 2010-11-29 10:13 -------- d-----w- c:\windows\system32\NtmsData
    2010-11-29 08:56 . 2010-11-29 08:56 -------- d-----w- c:\docume~1\Steven\APPLIC~1\Avira
    2010-11-28 13:02 . 2010-12-02 07:43 -------- d-----w- c:\windows\system32\CatRoot2
    2010-11-28 12:52 . 2010-11-28 12:52 -------- d-----w- c:\program files\ProcessExplorer
    2010-11-28 12:27 . 2010-11-28 12:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-11-28 02:10 . 2010-11-28 02:10 83968 --sha-r- c:\windows\system32\netstat4.dll
    2010-11-26 12:23 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-11-26 12:17 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-11-21 12:24 . 2010-11-21 12:24 -------- d-----w- c:\docume~1\Steven\APPLIC~1\vlc
    2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 10:58 . 2010-09-18 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-18 19:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-16 22:28 . 2010-09-16 22:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2009-11-08 00:00 . 2009-11-08 00:00 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2009-11-08 00:00 . 2009-11-08 00:00 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2009-11-08 00:00 . 2009-11-08 00:00 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoPopUpsOnBoot"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
    2010-05-31 11:18 323976 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ATI Smart"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)
    "WMPNetworkSvc"=3 (0x3)
    "Lavasoft Ad-Aware Service"=2 (0x2)
    "VSSERV"=2 (0x2)
    "LIVESRV"=2 (0x2)
    "idsvc"=3 (0x3)
    "JavaQuickStarterService"=2 (0x2)
    "ose"=3 (0x3)
    "TMWebProtect"=2 (0x2)
    "TmProxy"=2 (0x2)
    "MatSvc"=3 (0x3)
    "IS360service"=2 (0x2)
    "sp_rssrv"=2 (0x2)
    "AntiVirService"=2 (0x2)
    "AntiVirSchedulerService"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2010 10:49 AM 28552]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/13/2009 10:41 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2009 10:41 AM 74480]
    R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 4:00 AM 14336]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/13/2009 10:41 AM 7408]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    FF - ProfilePath - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\kn5tze51.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
    FF - plugin: c:\documents and settings\Steven\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    FF - plugin: c:\documents and settings\Steven\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\NOS\bin\np_gp.dll
    FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\firefox@tvunetworks.com
    FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 16000
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.max.tokenizing.time - 3000000
    FF - user.js: content.maxtextrun - 4095
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 1000000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 1000000
    FF - user.js: dom.disable_window_status_change - true
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 1000
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-01 23:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(768)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(236)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-01 23:53:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-02 07:53

    Pre-Run: 121,522,372,608 bytes free
    Post-Run: 121,511,591,936 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - C607CCF1719DE01102E83DB71F53EEAB




    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:08:33 AM, on 12/2/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290949892671
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

    --
    End of file - 2418 bytes
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can delete these as they will be older versions:
    2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

    How is the system working now? Any redirects? The logs look good.
    Did you use Groip Policy for:
    "AntiVirusDisableNotify"
    "UpdatesDisableNotify"

    If not, I can change them so let me know.

    Only 2 entries need removal in HIJ:
    Please reopen to 'do system scan only.' Check the following entries if present:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    Close all Windows except HijackThis and click on "Fix Checked."

    The HJT log looks to be on the short side to me. There are no Browser Helper Objects (BHO) or no Toolbars. This is unusual especially noticing all you have set to start on boot.
     
  7. hostile17

    hostile17 TS Rookie Topic Starter

    message deleted by author
     
  8. hostile17

    hostile17 TS Rookie Topic Starter

    There don't seem to be any redirects at this time, so, thanks for that!

    I am not familiar with 'Group Policy'. I changed the settings manually, using
    Windows Security Center. I have all three set back to 'Notify' now.

    I don't know what to say about the lack of BHOs, but I do try to steer clear of
    toolbars whenever possible.

    On a side note, I have noticed many users in this forum with the same redirection issues that I experienced. Is this less of a 'virus' issue and more of a 'rootkit' issue. Or is there not really a difference? Am I wrong in stating that, while many security apps. block viruses, it seems that things like rootkits or other 'hidden objects' seem to be getting through? I'd really like to know which free programs are best suited for blocking potential threats of all types. Especially the ones that seem to elude the scanners of programs like Malwarebytes, SpyBot etc after you've been infected by them.

    Also, what shall I do with combofix and the C:\Qoobox folder?

    Thanks Again.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Many malware infections cause searches to be redirected. Some are rootkits, others are not. That's why the name "redirect virus" is wrong. There are also different types of redirects and ways of redirecting. This is a good reason why we discourage others from following malware cleaning help given to someone else. It has to be specific for what is happening to that user and what is the cause.

    I am still concerned about how sparse the HijackThis log is. I don't even see what would be considered 'normal' entries. Maybe I'm so use to seeing log full of things that aren't needed that I don't recognize a log from a clean, lean system!

    Considerations:
    1.I would encourage you to remove this: IObit Security 360:
    Review from PCMag:
    Even the IOBit sites aren't well rated by WOW.

    2. I suggest you decide on running just one of the following not both. I see a potential for conflict with both running:
    Sophos Anti-Rootkit 1.5.4
    AVG Anti-Rootkit Free


    3. Did you remove these old versions of HijackThis?
    2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

    4. Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    Close all Windows except HijackThis and click on "Fix Checked."

    5. Cleaning up: Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    If any of the cleaning programs remain, you can uninstall them and delete the logs.

    Empty the Recycle Bin

    Please see my next reply for some suggestions for good security.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    As promised:
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
     
  11. hostile17

    hostile17 TS Rookie Topic Starter

    I followed all of those instructions and everything seems to be in order. I'm going to check out those add-ons and firewall programs and your tips for added security and safer browsing. Thanks so very much, there's a lot of helpful info there.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome! Stay safe.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...