Inactive Browsers opening pages to unwanted Internet sites

Status
Not open for further replies.
S

sigsky

Posts: 9   +0
This is happening to both my desktop and laptop. Laptop networked via a wireless router. Internet Explorer and Firefox are affected. I have scanned with AVG, Malwarebytes, Spybot S&D, and have SpywareBlaster enabled. None report problems. Running Vista Home Premium on both computers.

Pages that are opening do not appear to be malicious and are easily closed. I have not clicked on any of the links provided.

I have carefully followed your instructions for Preliminary Removal which went as described except that Gmer didn't seem to do much. I noticed the button for "Scan" but I did not select it since it was not indicated in your instructions. Logs follow

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5733

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

2/10/2011 1:16:14 PM
mbam-log-2011-02-10 (13-16-14).txt

Scan type: Quick scan
Objects scanned: 151154
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-10 13:21:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST332083 rev.3.AA
Running: c5oisnhl.exe; Driver: C:\Users\John\AppData\Local\Temp\kflcapog.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----



DDS (Ver_10-12-12.02) - NTFSx86
Run by John at 13:21:43.73 on Thu 02/10/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1141 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\DS Clock\dsetime.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k wdisvc
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Users\John\Download\VirusRemoval\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444543540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup162.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\mkrc2kst.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb7b07e&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\john\appdata\roaming\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\users\john\appdata\roaming\mozilla\plugins\npoctoshape.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 DSClockSyncTime;DS Clock Synchronization Service www.dualitysoft.com;c:\program files\ds clock\dsetime.exe [2011-1-18 62264]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-19 21504]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-8-24 1153368]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2006-12-18 5504]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-5-22 155648]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 gupdate1c99825db5dda72;Google Update Service (gupdate1c99825db5dda72);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-11-18 36312]
S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-9-19 21504]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
SUnknown WPFFontCache_v0400;WPFFontCache_v0400; [x]

=============== Created Last 30 ================

2011-02-10 09:30:04 -------- d-----w- c:\progra~2\SITEguard
2011-02-10 09:29:02 -------- d-----w- c:\program files\common files\iS3
2011-02-10 09:29:02 -------- d-----w- c:\progra~2\STOPzilla!
2011-02-08 09:47:19 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-05 17:39:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-05 17:39:59 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-02-05 16:11:25 -------- d-----w- c:\program files\Winamp Detect
2011-01-29 13:54:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-29 13:54:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-29 13:54:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-18 09:52:41 -------- d-----w- c:\users\john\appdata\roaming\Duality Software
2011-01-18 09:52:41 -------- d-----w- c:\program files\DS Clock
2011-01-18 09:52:41 -------- d-----w- c:\progra~2\Duality Software
2011-01-12 10:02:40 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-12 10:02:40 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
2011-01-12 10:02:40 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 10:02:40 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-12 10:02:40 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-12 10:02:40 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-12 10:02:38 1169408 ----a-w- c:\windows\system32\sdclt.exe

==================== Find3M ====================

2011-01-22 02:46:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-22 02:46:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 13:22:22.75 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 12/18/2006 12:06:57 PM
System Uptime: 2/10/2011 1:03:30 PM (0 hours ago)

Motherboard: Intel Corporation | | DG965OT
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | LGA 775 | 1862/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 174.896 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.203 GiB free.
E: is Removable
F: is Removable
G: is Removable
H: is CDROM (CDFS)
I: is FIXED (NTFS) - 112 GiB total, 92.565 GiB free.
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel(R) 82562V 10/100 Network Connection
Device ID: PCI\VEN_8086&DEV_104C&SUBSYS_0001107B&REV_02\3&2B8E0B4B&0&C8
Manufacturer: Intel
Name: Intel(R) 82562V 10/100 Network Connection
PNP Device ID: PCI\VEN_8086&DEV_104C&SUBSYS_0001107B&REV_02\3&2B8E0B4B&0&C8
Service: e1express

==== System Restore Points ===================


==== Installed Programs ======================


Leawo Free AVI Converter version 2.3.0.8
Abacast Client
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 9.4.1
Adobe Shockwave Player 11
Apple Application Support
Apple Software Update
Arachnophilia 5.3
AutoUpdate
AVG 2011
AVIcodec (remove only)
CCleaner
CDDRV_Installer
Championship Spades All-Stars 7.40
Creative Mass Storage Drivers
Digital Media Reader
DirectVobSub (remove only)
DivX Converter
DivX Player
DivX Web Player
Doom 3
DS Clock
Filzip 3.06
Free Video Joiner 1.1
FxVisor
Gateway Recovery Center Installer
getPlus(R) for Adobe
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) Viiv(TM) Software
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 23
JGsoft EditPad Lite 6.2.1
K-Lite Codec Pack 5.4.4 (Basic)
KhalInstallWrapper
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Links 2001
Microsoft Money 2006
Microsoft Office 97, Professional Edition
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Move Media Player
Moyea FLV Editor Lite version: 1.1.1.835
Mozilla Firefox (3.6.13)
MSA20XX Device Manager
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Octoshape Streaming Services
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
Personal Ancestral File 5
PopMan 1.3
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SigmaTel Audio
SolveigMM AVI Trimmer
SopCast 3.2.9
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.4
Symantec Technical Support Web Controls
TBS WMP Plug-in
TWC Customer Controls
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Veetle TV 0.9.18
Virtual Pool 3 DL
Winamp
Winamp Detector Plug-in
Windows Driver Package - ViXS Systems Inc. ViXS PureTV-U (11/17/2006 6.2.77.1)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver

==== End Of File ===========================
 
Welcome to TechSpot!
Welcome_crash.gif

(Image courtesy animationplayhouse.com)

So you have fallen vitim to the redirecting also, as many others have. We will need to identify the malware that is causing this. While I finish checking these logs, please run the following:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
======================================
Note: Before running the next scan, you will have to uninstall AVG. Try this first:

Download AppRemover and save to the desktop]
How to Use AppRemover to Remove a Complete Security Application
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    https://www.techspot.com/downloads/5514-appremover.htmlabout/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
    [*] Check the AVG program you want to uninstall
    [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
    ====================================
    Then follow with [b]Download Combofix to your desktop from one of these locations:[/b][b]
    [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]Link 1[/url]
    [url=http://www.forospyware.com/sUBs/ComboFix.exe]Link 2[/b][/url][list]
    [*]Double click combofix.exe & follow the prompts.
    [*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    [*][B]Query- Recovery Console image[/B]
    [img]http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  5. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  6. .Click on Yes, to continue scanning for malware
  7. .If Combofix asks you to update the program, allow
  8. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  9. .Close any open browsers.
  10. .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  11. When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Interim Question

Hi Bobbye, Thanks for the help. I am waiting for Eset to download it's database. Looks like it is going to take an hour.

The above procedure seems to leave me without antivirus protection after running combofix. Is that where I want to be?

I'll post logs when this is completed.

John
 
Eset and Combofix logs

Bobbye,

I've finished those steps. What should I do about antivirus protection?
Awaiting your instructions, thanks again for your help. John

Here are the logs:

Eset log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=6fe7ba86dc2838409ffd65a60c254283
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-10 10:45:26
# local_time=2011-02-10 05:45:26 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1032 16777213 100 95 0 40434624 0 0
# compatibility_mode=5892 16776574 100 100 10799783 133982408 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=143701
# found=0
# cleaned=0
# scan_time=3045


Combofix log:

ComboFix 11-02-09.05 - John 02/10/2011 18:05:57.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1265 [GMT -5:00]
Running from: c:\users\John\Download\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Windows

.
((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))
.

2011-02-10 23:11 . 2011-02-10 23:12 -------- d-----w- c:\users\John\AppData\Local\temp
2011-02-10 23:11 . 2011-02-10 23:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-02-10 23:11 . 2011-02-10 23:11 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-02-10 23:11 . 2011-02-10 23:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-10 23:06 . 2011-02-10 23:06 -------- d-----w- c:\programdata\WindowsSearch
2011-02-10 20:33 . 2011-02-10 20:33 -------- d-----w- c:\program files\ESET
2011-02-10 09:30 . 2011-02-10 09:30 -------- d-----w- c:\programdata\SITEguard
2011-02-10 09:29 . 2011-02-10 09:54 -------- d-----w- c:\programdata\STOPzilla!
2011-02-10 09:29 . 2011-02-10 09:29 -------- d-----w- c:\program files\Common Files\iS3
2011-02-08 09:47 . 2011-02-08 09:47 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-05 17:41 . 2011-02-05 17:41 -------- d-----w- c:\program files\Common Files\Java
2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-05 16:11 . 2011-02-05 16:11 -------- d-----w- c:\program files\Winamp Detect
2011-01-29 13:54 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-29 13:54 . 2011-01-29 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-29 13:54 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 10:27 . 2011-01-31 22:49 -------- d-----w- c:\users\Public\Download
2011-01-18 09:52 . 2011-01-18 10:11 -------- d-----w- c:\program files\DS Clock
2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\users\John\AppData\Roaming\Duality Software
2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\programdata\Duality Software
2011-01-12 10:02 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 10:02 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-12 10:02 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-12 10:02 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-12 10:02 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-01-12 10:02 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-12 10:02 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:50 . 2008-09-19 23:30 52792 ----a-w- c:\windows\system32\drivers\volmgr.sys
2011-01-31 10:16 . 2008-09-19 23:30 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2011-01-22 02:46 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-22 02:46 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
2006-11-18 15:01 182744 ----a-w- c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-12-12 15:03 106496 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-09-29 20:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-12-12 15:02 98304 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-12-19 03:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
2006-09-26 18:56 423424 ----a-w- c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-12-12 15:02 81920 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-11-02 14:38 303104 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
"EnableNotificationsRef"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
"EnableNotificationsRef"=dword:00000002

R2 gupdate1c99825db5dda72;Google Update Service (gupdate1c99825db5dda72);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 133104]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-11-18 36312]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\E411.tmp [x]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-15 2794234]
R3 WPFFontCache_v0400;WPFFontCache_v0400; [x]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S2 DSClockSyncTime;DS Clock Synchronization Service www.dualitysoft.com;c:\program files\DS Clock\dsetime.exe [2009-11-20 62264]
S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-28 28672]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2006-12-18 5504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2011-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2011-02-10 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]

2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{E57A22E8-06A3-46E2-A6A3-C443A62D321E}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb7b07e&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-BigFix - c:\program files\Bigfix\bigfix.exe
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
MSConfigStartUp-mcinfo_1171995617 - c:\users\John\AppData\Local\Temp\mcinfo_1171995617.exe
MSConfigStartUp-Monopod - c:\users\John\AppData\Local\Temp\c.exe
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
MSConfigStartUp-OxigenServiceStart - c:\program files\Oxigen\bin\OxigenService.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-TkBellExe - c:\program files\Real\RealPlayer\update\realsched.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 18:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\E411.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2204)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2011-02-10 18:14:03
ComboFix-quarantined-files.txt 2011-02-10 23:14

Pre-Run: 188,121,661,440 bytes free
Post-Run: 188,045,004,800 bytes free

- - End Of File - - 9B9374AA198C3259288DA2F5EB3F9F4B
 
What should I do about antivirus protection?
Click to expand...

You enable it when finished with Eset and Combofix. If you did a full uninstall of AVG and don't want it back, here are two recommendations, both free and good> use only one!
I have noticed that there is no antivirus program running
Avira Free
Avast Home

Please reboot the system after the installation is complete.

I will be back to check Combofix.
 
I see 17 processes loading from the Registry on the Startup Menu. And it looks like that's after you removed 9 other processes! And are there 4 users on the machine now? That's a lot of activity to keep track of!
=========================================
I have a question for you about the subject: when you say "pages are opening to unwanted sites", do you mean that when you do a search, you are being redirected to a page other than what you requested? Or do you mean that pages popup with other sites or ads? Can you five me an example of one? Please do not leave an active link, but rather the Domain name like 'searchhere' or 'goodthingshere'.
===================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.[/b]
Code: 
File::
c:\windows\system32\E411.tmp
Folder::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
Driver::
MEMSWEEP2
WPFFontCache_v0400
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
 
New Combofix log

The only control over start-ups that I know of are the programs that run when you boot your computer which can be accessed by running "msconfig". I am constantly removing things that are inserted there by Adobe, Quicktime, and others. I only have 4 items checked, two of which are for my cordless mouse and the others are AVG and Spybot S&D. I don't like unnecessary things running in the background. As far a processes loading or being removed, I'm not sure except I have used "Black Viper's" site to optimize setup so maybe that is what you are referring to?

I don't know who those users are> It's just me and my wife and we don't have separate accounts. My computer boots right to the desktop without passwords or anything. I'm not sure where all that came from. For some reason my desktop's designation seems to change periodically in my network setup but it continues to work so I haven't worried about it.

Any advice you have to offer is most welcome.

I had to uninstall AVG to get Combofix to run. I am going to try to find the free Avast software. The link you kindly provided whould not let me download the free version for some reason.

OK, I intentionally did not use the word redirect in my posting because when I am accessing a page in my browser,every so often a new page opens in the background. It does not take me away from the page I am using or impede my activity. When I see these pages as tabs at the bottom, I bring them to the top to see what they are, close them, and return to what I am doing. Sometimes these pages are accompanied by a phishing or virus warning from AVG but usually not.

I have noticed lately that sometimes when I click on a google serch return link, it will take me to an unrelated page. Normally if I close it and go back to the google results and click the link again, it takes me to the proper page.

what follows are samples of unwanted pages which have appeared both in Firefox and Internet Explorer. I should also say that I have noticed a page briefly opening which disappears once the offending page appears. I assume this is the site that actually is doing the mischief but I haven't been able to get the domain name yet but I'll watch for it.

This site just popped up while I was retrieving your log:
cheapstuff.com/?d=1

Here are some others that I have gotten recently:

Firefox:
213.155.17.40/pop/
teanja.com/

Internet Explorer:
d3.zedo.com/jsc/d3/ff2.html?n=790;s=2819;c=3386;d=16;w=1024;h=768
cheapstuff.com/a.php?search=basic+cable&ai=5983
about:blank
213.155.17.40/pop/sixpoints.htm
esults.googlesyndication.com/


Here is the log you requested:

ComboFix 11-02-11.01 - John 02/11/2011 21:55:55.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1075 [GMT -5:00]
Running from: c:\users\John\Download\ComboFix.exe
Command switches used :: c:\users\John\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\E411.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
-------\Service_WPFFontCache_v0400


((((((((((((((((((((((((( Files Created from 2011-01-12 to 2011-02-12 )))))))))))))))))))))))))))))))
.

2011-02-12 03:01 . 2011-02-12 03:04 -------- d-----w- c:\users\John\AppData\Local\temp
2011-02-12 03:01 . 2011-02-12 03:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-02-12 03:01 . 2011-02-12 03:01 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-02-12 03:01 . 2011-02-12 03:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-11 02:17 . 2011-02-11 02:17 -------- d-----w- c:\users\John\AppData\Roaming\AVG10
2011-02-11 02:07 . 2011-02-12 02:50 -------- d-----w- c:\programdata\AVG10
2011-02-11 01:56 . 2011-02-11 02:06 -------- d-----w- c:\programdata\MFAData
2011-02-10 23:06 . 2011-02-10 23:06 -------- d-----w- c:\programdata\WindowsSearch
2011-02-10 20:33 . 2011-02-10 20:33 -------- d-----w- c:\program files\ESET
2011-02-10 09:30 . 2011-02-10 09:30 -------- d-----w- c:\programdata\SITEguard
2011-02-10 09:29 . 2011-02-10 09:54 -------- d-----w- c:\programdata\STOPzilla!
2011-02-10 09:29 . 2011-02-10 09:29 -------- d-----w- c:\program files\Common Files\iS3
2011-02-05 17:41 . 2011-02-05 17:41 -------- d-----w- c:\program files\Common Files\Java
2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-05 16:11 . 2011-02-05 16:11 -------- d-----w- c:\program files\Winamp Detect
2011-01-29 13:54 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-29 13:54 . 2011-01-29 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-29 13:54 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 10:27 . 2011-01-31 22:49 -------- d-----w- c:\users\Public\Download
2011-01-18 09:52 . 2011-01-18 10:11 -------- d-----w- c:\program files\DS Clock
2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\users\John\AppData\Roaming\Duality Software
2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\programdata\Duality Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:50 . 2008-09-19 23:30 52792 ----a-w- c:\windows\system32\drivers\volmgr.sys
2011-01-31 10:16 . 2008-09-19 23:30 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2011-01-22 02:46 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-22 02:46 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-28 15:55 . 2011-01-12 10:02 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 10:02 1169408 ----a-w- c:\windows\system32\sdclt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
2006-11-18 15:01 182744 ----a-w- c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-12-12 15:03 106496 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-09-29 20:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-12-12 15:02 98304 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-12-19 03:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
2006-09-26 18:56 423424 ----a-w- c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-12-12 15:02 81920 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-11-02 14:38 303104 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
"EnableNotificationsRef"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
"EnableNotificationsRef"=dword:00000002

S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S2 DSClockSyncTime;DS Clock Synchronization Service www.dualitysoft.com;c:\program files\DS Clock\dsetime.exe [2009-11-20 62264]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2011-02-12 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]

2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{E57A22E8-06A3-46E2-A6A3-C443A62D321E}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb7b07e&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-11 22:03
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2700)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-02-11 22:08:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-12 03:08

Pre-Run: 187,219,955,712 bytes free
Post-Run: 186,871,070,720 bytes free

- - End Of File - - 0CEA9B1EED571279ADC3F039F921EA65
 
Most of the Domains you gave are common ones that leave Tracking Cookies. By resetting the Cookies, most of them will be blocked, so please follow this:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
I see you are already using AdBlockPlus. Good! If you didn't add EasyList, I highly recommend doing so:
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
====================================
However the IP 213.155.17.40 that you left, belongs to a site in the UA - Ukraine. This usually indicates that the Host files have been hijacked, but I'm not seeing this so far in the logs. And the 'sixpoints' popups with it usually comes up with 'Congratulations' and the site it's on is BAD. Can you tell me just how it is that you're seeing these things. Where do you see the IP? If you look on the bottom left corner of the browser, you will see an IP and all the other entries on a site that's loading as they load. However, unless you actually click to activate either the IP or the popups, it should get on the machine.
=======================================
About "Black Viper". : they don't come any better! Someday, I would like to meet him and thank him for all the help I got on his site, especially when starting Windows XP with the Services!
====================================
EDIT: Please run the script I set up in the next reply first, then run HJT.
===================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::

Folder::
C:\TDSSKiller_Quarantine

DDS::
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

Registry::
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
[HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]

Driver::
WPFFontCache_v0400
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
 
Answers to questions - logs coming shortly

I run CCleaner several times a day to get rid of cookies and remove other tracking info.

I will make the changes you have recommended under reset cookies.

The unwanted pages normally happen as follows:

A new page is created briefly as can be seen on the taskbar

It quickly changes to another address, often some search engine which produces the advertising pages I usually end up with which are what I have submitted to you. I haven't been quick enough to capture the address.

None of these replace the page I am browsing, but are in the background. The final advertising page is the only thing that remains after a very short time. I will attempt to capture better results.

To me it seems like the virus manifests itself under a number of very strange names, calls up one of several search strings which results in an advertising page. I can't imagine they are being paid advertising fees.

Some sites never result in the virus being activated. Others ( notably imdb.com seem to trigger the virus immediately every time it is accessed). Usually after generating and ad, the virus will remain dormant until I change web sites, although I don't think this is always true. I will play with imdb.com later today and see if I can identify a better name.
 
logs

Here is the ComboFix log:

ComboFix 11-02-12.02 - John 02/13/2011 14:27:04.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1037 [GMT -5:00]
Running from: c:\users\John\Download\ComboFix.exe
Command switches used :: c:\users\John\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\java\jre6\bin\jp2ssv.dll

.
((((((((((((((((((((((((( Files Created from 2011-01-13 to 2011-02-13 )))))))))))))))))))))))))))))))
.

2011-02-13 19:31 . 2011-02-13 19:31 -------- d-----w- c:\users\John\AppData\Local\temp
2011-02-13 19:31 . 2011-02-13 19:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-02-13 19:31 . 2011-02-13 19:31 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-02-13 19:31 . 2011-02-13 19:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-13 19:15 . 2011-02-13 19:15 -------- d-----w- C:\HijackThis
2011-02-12 13:16 . 2011-02-02 22:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C60513A9-BA36-474B-AA22-9150CE44E637}\mpengine.dll
2011-02-12 03:49 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-12 03:49 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-12 03:49 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-12 03:49 . 2011-01-13 08:37 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-02-12 03:49 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-12 03:48 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-02-12 03:48 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-12 03:48 . 2011-02-12 03:48 -------- d-----w- c:\programdata\Alwil Software
2011-02-12 03:48 . 2011-02-12 03:48 -------- d-----w- c:\program files\Alwil Software
2011-02-11 02:17 . 2011-02-11 02:17 -------- d-----w- c:\users\John\AppData\Roaming\AVG10
2011-02-11 02:07 . 2011-02-12 02:50 -------- d-----w- c:\programdata\AVG10
2011-02-11 01:56 . 2011-02-11 02:06 -------- d-----w- c:\programdata\MFAData
2011-02-10 23:06 . 2011-02-10 23:06 -------- d-----w- c:\programdata\WindowsSearch
2011-02-10 20:33 . 2011-02-10 20:33 -------- d-----w- c:\program files\ESET
2011-02-10 09:30 . 2011-02-10 09:30 -------- d-----w- c:\programdata\SITEguard
2011-02-10 09:29 . 2011-02-10 09:54 -------- d-----w- c:\programdata\STOPzilla!
2011-02-10 09:29 . 2011-02-10 09:29 -------- d-----w- c:\program files\Common Files\iS3
2011-02-05 17:41 . 2011-02-05 17:41 -------- d-----w- c:\program files\Common Files\Java
2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-05 17:39 . 2010-11-12 23:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-05 16:11 . 2011-02-05 16:11 -------- d-----w- c:\program files\Winamp Detect
2011-01-29 13:54 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-29 13:54 . 2011-01-29 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-29 13:54 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 10:27 . 2011-01-31 22:49 -------- d-----w- c:\users\Public\Download
2011-01-18 09:52 . 2011-01-18 10:11 -------- d-----w- c:\program files\DS Clock
2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\users\John\AppData\Roaming\Duality Software
2011-01-18 09:52 . 2011-01-18 09:52 -------- d-----w- c:\programdata\Duality Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:50 . 2008-09-19 23:30 52792 ----a-w- c:\windows\system32\drivers\volmgr.sys
2011-02-02 22:11 . 2009-10-03 18:52 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-31 10:16 . 2008-09-19 23:30 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2011-01-22 02:46 . 2003-03-19 04:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-22 02:46 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-28 15:55 . 2011-01-12 10:02 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 10:02 1169408 ----a-w- c:\windows\system32\sdclt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe\0aswBoot.exe /A:* /L:1033 /heur:80 /pup /archives /IA:0 /KBD:2 /dir:C:\Program

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
2006-11-18 15:01 182744 ----a-w- c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-12-12 15:03 106496 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-09-29 20:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-12-12 15:02 98304 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-12-19 03:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
2006-09-26 18:56 423424 ----a-w- c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-12-12 15:02 81920 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-11-02 14:38 303104 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
"EnableNotificationsRef"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
"EnableNotificationsRef"=dword:00000002

S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
S2 DSClockSyncTime;DS Clock Synchronization Service www.dualitysoft.com;c:\program files\DS Clock\dsetime.exe [2009-11-20 62264]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2011-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2011-02-13 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]

2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{E57A22E8-06A3-46E2-A6A3-C443A62D321E}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cb7b07e&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-13 14:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-13 14:33:38
ComboFix-quarantined-files.txt 2011-02-13 19:33
ComboFix2.txt 2011-02-12 03:08

Pre-Run: 227,541,659,648 bytes free
Post-Run: 227,509,452,800 bytes free

- - End Of File - - 9422B1A9F318A0A12B60F3A594D418B4

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:35:35 PM, on 2/13/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444543540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DS Clock Synchronization Service www.dualitysoft.com (DSClockSyncTime) - Duality Software - C:\Program Files\DS Clock\dsetime.exe
O23 - Service: Google Update Service (gupdate1c99825db5dda72) (gupdate1c99825db5dda72) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5165 bytes
 
A bit of Additional Info

When the virus is triggered, I get a tab at the bottom of the screen like you do when you open a page but it is labeled either Internet Explore or Mozilla Firefox but cannot be opened by clicking on it until it changes to a domain name including some variation of a domain including "google", i gave you one of those. Will try to get more. It can be opened at that point but quickly it changes to the advertising page or sometimes results in page not found or a link to be forwarded (which I ain't ever clicking on). Unless you are paying attention you don't really notice anything except this new page in the background with the advertising. This final page is readily closed. and normally nothing else appears until I change sites. Hope this helps. I don't know how to capture that first bugger yet.
 
That helps, thank you. It sounds like a pop-under. You don't want to do anything except a Right click> Properties. That might give you some information but won't activate it. I remember years ago when the "X-10" seemed to pop under everything! But as popup stoppers got better and browser security improved, the old X-10 was sent packing. Here's a comment on that from 11/1/2001:
An informal study by DSLreports.com staff has concluded that x10 camera "pop-under" adverts now account for 89% of bandwidth used by all broadband users.
Click to expand...

Theses usually aren't malicious- just annoying. Be sure to reset the Cookies as I instructed and add Easy List to Firefox. If you use the Google Toolbar, it's has a great popup stopper. If you don't be sure the feature is enabled in Firefox: Open FF> Tools> Options> Content> Check 'block popups.'
====================================
The 4 accounts I see are:
c:\users\John\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\IUSR_NMPR\AppData\Local\temp
c:\users\Default\AppData\Local\temp
I looked further and found this in a Vista forum:
Vista Accounts:
Administrator ("Built-in account for administering the computer/domain")
Guest ("Built-in account for guest access to the computer/domain")
IUSR_NMPR>>> its a guest account or internet user account for IIS (internet information server) its a system account so you need remove IIS first
Account with User name
============================
Have you reset the Cookies, added Easy List to Firefox surfed for a while to see if any popunders still show? If any do, please use the right click> Properties> look for a domain name and we can block it. For instance, if you see this in the properties 'yahoo.com', that;s what I want
 
results.google-analytics.com/ is one I captured yesterday before it sent me to an advertising page.
results.googlesyndication.com/ is one I sent you earlier.

plug either of these into a search engine and you will get countless folks having problems.

These appear to be the sites that are popping up and sending me to the advertisements. It still happens in both Firefox and IE and I have made the changes you suggested including adding Easy List.

What am I clicking on to check properties? Clicking on the tab at the bottom only brings up the normal menu (restore,Move,Size,Minimize,Maximize,Close). is it possible to block the domain names above? Would be better to remove what is producing them.

I don't understand the account issues. In Windows explorer I see only:
C:\users\John
C:\users\Public
the latter being where I store data that I want to be able to access with other computers on my network (just my laptop).

In control panel I show only an Administrators account and a Guest Account which is turned off.

I will try to identify more bad domain names if i can find them.
 
From TechSpot blog, Julio, 2008:
Google analytics is a great tool for webmasters. At the same time, Google Analytics affects the privacy of the searchers and browsers. Many users don’t like their browser being tracked. These people want to prevent their browsers from being tracked by disabling Google Analytics.
Click to expand...
From Google:
Google Analytics Opt-out Browser Add-on (BETA)
To provide website visitors more choice on how their data is collected by Google Analytics, we have developed the Google Analytics Opt-out Browser Add-on. The add-on communicates with the Google Analytics JavaScript (ga.js) to indicate that information about the website visit should not be sent to Google Analytics.

Available for Internet Explorer (versions 7 and 8), Google Chrome (4.x and higher), and Mozilla Firefox (3.5 and higher).
Click to expand...
 
BTW, I amended both AV programs to leave out choices and take user directly to download page for free version.:

Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
I try to put the software manufacturer's sit in the links, but sometimes they add link which confuses the user.

You don't need to give me any more domains. Please reset the Cookies as I have instructed. These pop unders aren't manifestations of a virus- usually- but rather another way to sneak an advertisement onto the users system. Let me check your security- If did this already, forgive me:

Download Security Check by screen317 from HERE or HERE .
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Actually I had unknowingly already downloaded Avast from the site you mentioned. It happened so fast I didn't realize it. That is why it wouldn't allow me to download it again. Sorry for the confusion.

I've been reading about this situation of mine over the last couple of days and find plenty of cries for help but no solutions. And apparently no anti-virus program will identify this as a virus. I went ahead and plugged one of the offending URLs into my browser and sure enough the same thing happens, I get a blank page for a few seconds and then am redirected to a "desperately" random advertising site.

I think I agree that this does not qualify as a virus. But to me it certainly qualifies as malware if it attempts to send me to sites that trigger my antivirus protection. Maybe its not even on my machine in which case it seems everyone should be experiencing it. Maybe they are. Hopefully eventually this will run it's course as it seems to be gaining attention.

I have made the changes you indicated regarding cookies. Maybe I will flush the ones that I have told CCleaner not to delete and reset them one by one. There aren't that many and there may be some that I no longer wish to retain.

Here is the checkup log from my desktop:

Results of screen317's Security Check version 0.99.8
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 23
Adobe Flash Player 10.1.102.64
Adobe Reader 9.4.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


And here is one from my laptop which has the same affliction:

Results of screen317's Security Check version 0.99.8
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
Norton 360
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
MVPS Hosts File
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 23
Adobe Flash Player 10.1.102.64
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

As always, any advice is gratefully appreciated.

John
 
plenty of cries for help but no solutions.
Click to expand...
What you are experiencing is an annoyance- And you didn't mention AVG's phishing alert until Reply #7.

You have 3 software firewalls running> that's 2 too many! Remove 2 of them:
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
Norton 360
Multiple firewalls or antivirus programs actually make a system more vulnerable.

You still have Norton on the system. Please run this:
Norton Removal Tool

no anti-virus program will identify this as a virus.
Click to expand...
That's because it isn't a virus. A 'virus' doesn't trigger the pop under> closing the browser allows it so show from nesting between the borwser and the active Window.
====================================
What it's all about: What is a pop under?
A variation on the pop-up window is the pop-under advertisement, which opens a new browser window hidden under the active window. Pop-unders do not interrupt the user immediately and are not seen until the covering window is closed, making it more difficult to determine which web site opened them.

The script for it is on the page you have open, but it won't pop up until you try to close the page because it's actually in-between your browser and the site page. This is an example of interstitials are web page advertisements that are displayed before or after an expected content page, often to display advertisements or confirm the user's age.
They are not all bad.
===================================
Install the following addons to Firefox:
NoScript:
NoScript_Logo.png


AdBlock Plus
48px-Adblockplus_icon.svg.png

======================================
Run TFC again after you get the 2 add ons installed.
It will reboot at the end..Empty the Recycle Bin
Let me know if this helps the situation.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
797
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back