Thank you for your help.
Requested log files:
EDIT: Redirecting and unwanted pages opening seems to be eliminated.
EDIT:
Combofix
ComboFix 10-06-27.03 - Owner 06/27/2010 15:20:36.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1625 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
.
2010-06-26 19:23 . 2010-06-26 19:29 -------- d-----w- c:\documents and settings\Owner\Application Data\SafeReturner
2010-06-26 19:23 . 2010-06-26 19:29 -------- d-----w- c:\program files\Safe Returner
2010-06-25 15:57 . 2010-06-25 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-06-25 15:23 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-24 17:30 . 2010-06-24 20:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\xdecxhshy
2010-06-22 17:11 . 2010-06-22 17:11 -------- d-----w- c:\program files\iPod
2010-06-22 17:11 . 2010-06-22 17:11 -------- d-----w- c:\program files\iTunes
2010-06-22 17:08 . 2010-06-22 17:08 -------- d-----w- c:\program files\Bonjour
2010-06-22 17:07 . 2010-06-22 17:07 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 06:27 . 2010-06-23 06:05 93664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-02 05:15 . 2010-05-31 23:34 702120 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j1z93cuq.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-06-02 05:15 . 2010-05-31 23:34 868456 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j1z93cuq.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-06-01 17:17 . 2010-06-01 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-01 17:15 . 2010-06-01 17:15 -------- d-----w- c:\program files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 22:18 . 2008-07-11 04:12 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-26 21:24 . 2008-11-28 02:46 -------- d-----w- c:\program files\Winamp
2010-06-26 21:22 . 2009-02-07 01:40 -------- d-----w- c:\program files\NCH Software
2010-06-26 21:21 . 2009-10-22 02:17 -------- d-----w- c:\program files\PopCap Games
2010-06-26 21:18 . 2008-07-24 18:58 -------- d-----w- c:\program files\Wizards of the Coast
2010-06-26 21:18 . 2008-07-11 05:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-26 01:11 . 2008-07-12 03:37 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-25 15:50 . 2008-09-21 16:58 -------- d-----w- c:\program files\Java
2010-06-25 15:50 . 2008-09-21 16:58 -------- d-----w- c:\program files\Common Files\Java
2010-06-25 14:53 . 2008-08-07 13:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-25 14:10 . 2008-08-22 13:45 -------- d-----w- c:\program files\Glary Utilities
2010-06-25 04:01 . 2010-03-18 04:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 17:11 . 2008-09-07 16:07 -------- d-----w- c:\program files\Common Files\Apple
2010-06-19 15:52 . 2008-11-26 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-06-13 15:50 . 2008-07-18 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-13 03:09 . 2010-05-27 22:48 -------- d-----w- c:\program files\Magic Workstation
2010-06-03 00:56 . 2010-02-10 00:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Audacity
2010-05-24 16:55 . 2010-05-24 16:55 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2ee421c4-n\decora-sse.dll
2010-05-24 16:55 . 2010-05-24 16:55 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5febcb9b-n\msvcp71.dll
2010-05-24 16:55 . 2010-05-24 16:55 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5febcb9b-n\jmc.dll
2010-05-24 16:55 . 2010-05-24 16:55 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5febcb9b-n\msvcr71.dll
2010-05-24 16:55 . 2010-05-24 16:55 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2ee421c4-n\decora-d3d.dll
2010-05-20 05:22 . 2008-12-15 05:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-17 16:55 . 2010-05-17 16:55 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6fc149f7-n\decora-sse.dll
2010-05-17 16:55 . 2010-05-17 16:55 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f522a21-n\msvcp71.dll
2010-05-17 16:55 . 2010-05-17 16:55 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f522a21-n\jmc.dll
2010-05-17 16:55 . 2010-05-17 16:55 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5f522a21-n\msvcr71.dll
2010-05-17 16:55 . 2010-05-17 16:55 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6fc149f7-n\decora-d3d.dll
2010-05-02 05:56 . 2006-02-28 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2010-03-18 04:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-03-18 04:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:51 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 03:47 . 2009-11-27 20:40 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 03:47 . 2009-11-27 20:40 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-10 04:53 . 2010-04-10 04:53 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-26687c52-n\decora-sse.dll
2010-04-10 04:53 . 2010-04-10 04:53 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e336761-n\msvcp71.dll
2010-04-10 04:53 . 2010-04-10 04:53 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e336761-n\jmc.dll
2010-04-10 04:53 . 2010-04-10 04:53 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e336761-n\msvcr71.dll
2010-04-10 04:53 . 2010-04-10 04:53 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-26687c52-n\decora-d3d.dll
2010-03-18 06:03 . 2009-09-12 03:26 65536 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-27 160328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-06-13 73728]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2010-03-18 782336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104456]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2010-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2010-06-27 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-08-22 17:01]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j1z93cuq.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j1z93cuq.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j1z93cuq.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\j1z93cuq.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\EMusic\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-06-27 15:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-06-27 15:27:55
ComboFix-quarantined-files.txt 2010-06-27 22:27
Pre-Run: 40,967,303,168 bytes free
Post-Run: 40,973,504,512 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - B50F9411A0F4DD02CEB5284193FED3E7
Esnet:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e62fc12193dac548970e5523b29ee93e
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-28 12:12:55
# local_time=2010-06-27 05:12:55 (-0700, US Mountain Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=2049 16776869 100 88 0 42184067 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114128
# found=0
# cleaned=0
# scan_time=2500