Solved Redirect on Google searches

Kactus · Apr 29, 2012

Hi All,

For the past few days I've been getting redirected to various sales sites and others when I click on a link from my google search. If I backbutton back and then click on the same link again it then works correctly. So, I figured something was up and last night ran a MBAM scan and a scan for tracking cookies using Super Anti Spyware. The MBAM found one threat and the SAS found 6 trogans and 194 tracking cookies, but after quarantining everything the problem still exist. I found your site and am hoping you can help me out. Below I will post the results of your 5-step instructions plus the SAS results log. I appreciate any help you can provide. (PS: I am not that computer savvy so please bear with my ignorance).

MBAM Log of 4-28-12:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.28.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Deb :: DEB-PC [administrator]
4/28/2012 6:59:37 PM
mbam-log-2012-04-28 (18-59-37).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 458835
Time elapsed: 1 hour(s), 49 minute(s), 25 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Deb\AppData\Local\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
(end)
The GMER log was blank in the resulting notepad file.

DDS log 1, 4-29-12:

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Deb at 10:45:04 on 2012-04-29
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4307 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\System32\StikyNot.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Program Files\mcafee.com\agent\mcagent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\splwow64.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = hxxp://localhost
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120424174912.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Jasc] rundll32.exe C:\Users\Deb\AppData\Local\Jasc\nhxvobcb.dll,m4OutVideoInit
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
StartupFolder: C:\Users\Deb\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_Win32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B25DA075-B3E5-46AB-9BE8-7233FCD794CC} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120424174912.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-9-5 249936]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-9-5 249936]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-9-5 249936]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2010-12-8 199272]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2010-12-8 210584]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe [2010-12-8 162192]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-12-8 689472]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\system32\DRIVERS\LEqdUsb.Sys --> C:\Windows\system32\DRIVERS\LEqdUsb.Sys [?]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\system32\DRIVERS\LHidEqd.Sys --> C:\Windows\system32\DRIVERS\LHidEqd.Sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;\??\C:\Windows\system32\drivers\BVRPMPR5a64.SYS --> C:\Windows\system32\drivers\BVRPMPR5a64.SYS [?]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 MHIKEY10;MHIKEY10;C:\Windows\system32\Drivers\MHIKEY10x64.sys --> C:\Windows\system32\Drivers\MHIKEY10x64.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2010-7-30 25072]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-9-5 249936]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-29 04:01:05 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-04-29 04:01:05 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-04-28 23:58:21 -------- d-----w- C:\Users\Deb\AppData\Roaming\Malwarebytes
2012-04-28 23:58:09 -------- d-----w- C:\ProgramData\Malwarebytes
2012-04-28 23:58:08 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-04-28 23:58:08 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-25 23:56:25 -------- d-----w- C:\Users\Deb\AppData\Local\Jasc
2012-04-12 08:03:47 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-12 08:03:46 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-12 08:03:46 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-12 08:01:22 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-12 08:01:22 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-12 08:01:22 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-12 08:01:22 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-12 08:01:22 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-12 08:01:22 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-12 08:01:22 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-11 12:13:59 451072 ----a-w- C:\Program Files\Internet Explorer\ieproxy.dll
2012-04-11 12:13:58 163328 ----a-w- C:\Program Files (x86)\Internet Explorer\ieproxy.dll
2012-04-11 12:13:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-04-11 12:13:56 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
.
==================== Find3M ====================
.
2012-04-29 03:29:05 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-28 06:39:37 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 05:38:52 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-22 18:29:46 75936 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
2012-02-22 18:29:46 65264 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2012-02-22 18:29:46 647208 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2012-02-22 18:29:46 487296 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2012-02-22 18:29:46 289664 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2012-02-22 18:29:46 229528 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2012-02-22 18:29:46 160792 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2012-02-22 18:29:46 10248 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2012-02-22 18:29:46 100912 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-14 17:09:44 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 10:51:13.96 ===============
DDS log 2 4-29-12:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 12/19/2010 4:06:05 PM
System Uptime: 4/29/2012 8:08:39 AM (2 hours ago)
.
Motherboard: Dell Inc. | | 0C2KJT
Processor: Intel(R) Core(TM) i3 CPU 550 @ 3.20GHz | CPU 1 | 3200/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 919 GiB total, 826.324 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP105: 3/7/2012 5:42:48 AM - Scheduled Checkpoint
RP106: 3/15/2012 12:03:49 AM - Scheduled Checkpoint
RP107: 3/15/2012 3:00:29 AM - Windows Update
RP108: 3/23/2012 6:16:12 AM - Scheduled Checkpoint
RP109: 3/31/2012 10:44:32 AM - Scheduled Checkpoint
RP110: 4/8/2012 8:53:18 AM - Scheduled Checkpoint
RP111: 4/12/2012 3:00:29 AM - Windows Update
RP112: 4/19/2012 4:33:24 AM - Scheduled Checkpoint
RP113: 4/28/2012 9:22:13 PM - Scheduled Checkpoint
RP114: 4/28/2012 10:27:46 PM - Installed Java(TM) 6 Update 31
.
==== Installed Programs ======================
.
.
Adobe Reader 9.4.6
Adobe Shockwave Player 11.6
Canon Camera Access Library
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon Easy-PhotoPrint EX
Canon G.726 WMP-Decoder
Canon MG5300 series On-screen Manual
Canon MG5300 series User Registration
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 5.0
Canon My Printer
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Solution Menu EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Consumer In-Home Service Agreement
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
eReg
GoToAssist Corporate
Intel(R) Graphics Media Accelerator Driver
Internet Explorer
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 14
Java(TM) 6 Update 31
Junk Mail filter update
Malwarebytes Anti-Malware version 1.61.0.1400
McAfee SecurityCenter
Mesh Runtime
Messenger Companion
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVCRT
MSVCRT_amd64
Multimedia Card Reader
Paint Shop Pro 7
Realtek High Definition Audio Driver
Roxio Burn
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
Skype Toolbars
Skype™ 4.2
SpywareBlaster 4.6
swMSM
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update Installer for WildTangent Games App
Walmart MP3 Music Downloads
WildTangent Games
WildTangent Games App
WildTangent Games App (Dell Games)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
4/28/2012 6:32:28 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: D@01010004
4/25/2012 9:59:55 PM, Error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
4/22/2012 8:30:15 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
.
==== End Of File ===========================

Kactus · Apr 29, 2012

Here are the Super Anti Spware Results (SAS):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/29/2012 at 01:04 AM
Application Version : 5.0.1148
Core Rules Database Version : 8528
Trace Rules Database Version: 6340
Scan type : Complete Scan
Total Scan Time : 01:54:03
Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User
Memory items scanned : 631
Memory threats detected : 0
Registry items scanned : 65957
Registry threats detected : 0
File items scanned : 282262
File threats detected : 200

Edit: Multiple Adware.Tracking Cookies deleted by Bobbye

Trojan.Agent/Gen-Krpytik
C:\OLD\C\01COMM32\BIN\01ABOU32.DLL
C:\OLD\C\01COMM32\BIN\AUTOCT32.DLL
C:\OLD\C\01COMM32\BIN\IMG32MFX.DLL
C:\OLD\C\01COMM32\BIN\INSTFAX.EXE
C:\OLD\C\01COMM32\BIN\PRINTD32.DLL
C:\OLD\C\01COMM32\BIN\WSCANI32.DLL
ALL Findings were quarantined per the program.

Thanks

Bobbye · Apr 29, 2012

Welcome to TechSpot! I'll be glad to help with the malware. Give me a few minutes to check the logs and I'll be back with instructions.

I'm going to delete the SAS log. I will give you instructions to reset the Cookies to prevent the Tracking Cookies. Please don't run any other scans.
===================================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
File sharing programs should be uninstalled or disabled during the cleaning process..
Observe these:
[o] Don't follow directions given to someone else
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

Bobbye · Apr 29, 2012

I note you are running the old version of Paint Shop Pro:

On October 14, 2004, Corel Corporation acquired Jasc Software and its Paint Shop Pro operations.
November 28, 2007, Corel announced the closure of the Minneapolis office.[2] This effectively put an end to the former Jasc Software establishment.

Jasc Paint Shop Pro 7.0 [OLD VERSION]
by Jasc Software
Platform: Windows NT / 98 / 2000 / Me / XP / 95

The entry for this is uRun: [Jasc] rundll32.exe C:\Users\Deb\AppData\Local\Jasc\nhxvobcb.dll,m4OutVideoInit
This may not be related to your redirect problem but it does not show as compatible with Win 7.
===========================================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREand save to the desktop

Double click combofix.exe

& follow the prompts.
If prompted for Recovery Console, please allow.
Once installed, you should see a blue screen prompt that says:
- The Recovery Console was successfully installed.[/b]
- Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
- Note: No query will be made if the Recovery Console is already on the system.
.Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)
.Close any open browsers.
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=================================
Then I'd like you to do an online virus scan:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

Open the ESETOnlineScan
Skip to #4 to "Continue with the directions"

If you are using a browser other than Internet Explorer
Open Eset Smart Installer
[o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
[o] Double click on the desktop icon to run.
[o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
Continue with the directions.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
========================================
Please leave the logs for Combofix and Eset in your next reply.

Kactus · Apr 29, 2012

Hi Bobbye, thanks so much for your time. Below are the two scans you asked for. If interested when I was running the ComboFix scan a note box kept popping up before each and every completed stage that read:"Windows cannot find NIRKMD. Make sure you typed it correctly and then try again". I had to acknowledge by clicking the "OK" button each time in order for the scan to continue. Not sure if that's how it's supposed to work or not but it did provide a log for me.

ComboFix scan:

ComboFix 12-04-29.02 - Deb 04/29/2012 13:25:14.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4382 [GMT -5:00]
Running from: c:\users\Deb\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\deb old\WINDOWS
c:\users\Deb\GoToAssistDownloadHelper.exe
c:\users\Deb\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-29 )))))))))))))))))))))))))))))))
.
.
2012-04-29 04:01 . 2012-04-29 04:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-29 04:01 . 2012-04-29 04:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-04-29 03:29 . 2012-04-29 03:29 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-04-28 23:58 . 2012-04-28 23:58 -------- d-----w- c:\users\Deb\AppData\Roaming\Malwarebytes
2012-04-28 23:58 . 2012-04-28 23:58 -------- d-----w- c:\programdata\Malwarebytes
2012-04-28 23:58 . 2012-04-28 23:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-28 23:58 . 2012-04-04 20:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-25 23:56 . 2012-04-25 23:56 -------- d-----w- c:\users\Deb\AppData\Local\Jasc
2012-04-12 08:03 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-12 08:03 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-12 08:03 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-12 08:01 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 08:01 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 08:01 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 08:01 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 08:01 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-12 08:01 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-12 08:01 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-11 12:13 . 2012-02-28 06:35 451072 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2012-04-11 12:13 . 2012-02-28 05:34 163328 ----a-w- c:\program files (x86)\Internet Explorer\ieproxy.dll
2012-04-11 12:13 . 2012-02-28 04:31 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-11 12:13 . 2012-02-28 03:52 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-29 03:29 . 2010-12-08 15:42 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-10 19:14 . 2011-03-07 01:43 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-02-22 18:29 . 2010-12-08 15:52 10248 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-02-22 18:29 . 2010-01-06 00:04 75936 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2012-02-22 18:29 . 2010-01-06 00:04 65264 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-02-22 18:29 . 2010-01-06 00:04 647208 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-02-22 18:29 . 2010-01-06 00:04 487296 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-02-22 18:29 . 2010-01-06 00:04 289664 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-02-22 18:29 . 2010-01-06 00:04 229528 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-02-22 18:29 . 2010-01-06 00:04 160792 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-02-22 18:29 . 2010-01-06 00:04 100912 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-02-17 06:38 . 2012-03-14 13:44 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 13:44 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 13:44 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 13:44 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 17:09 . 2012-02-14 17:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-10 06:36 . 2012-03-14 13:45 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 13:45 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-14 13:45 3145728 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jasc"="c:\users\Deb\AppData\Local\Jasc\nhxvobcb.dll" [2011-12-12 352496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-01-27 237568]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-03-28 1611160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-07-21 165184]
.
c:\users\deb old\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
c:\users\Deb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 MHIKEY10;MHIKEY10;c:\windows\system32\Drivers\MHIKEY10x64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-30 25072]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2012-03-20 162192]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-04-28 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060832]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1744152]
"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-15 2779024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = hxxp://localhost
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Canon\CAL\CALMAIN.exe
c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
.
**************************************************************************
.
Completion time: 2012-04-29 13:35:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-29 18:35
.
Pre-Run: 887,126,233,088 bytes free
Post-Run: 887,376,560,128 bytes free
.
- - End Of File - - 6E68387A5967D516B6CE118BEC1A1E37
ESET Scan:

C:\Users\Deb\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\596ddf9a-37a5d6fa a variant of Java/Exploit.Agent.NBE trojan

As an FYI, I downloaded the newest version of Java yesterday from their website. A friend had mentioned that an earlier version had a problem and perhaps I didn't have the latest fix so I figured I should update it. Wonder if this one was bad?

Bobbye · Apr 30, 2012

Here is some help to prevent the Tracking Cookies: If you checked for SAS to remove what was found, good. If you did not, go ahead and reset the Cookies, then go back and run SAS again, checking for removal of entries.

Reset Cookies
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
======================================
NIRCAM can be different things. In this case, it is a part of Combofix. So if it ram and generated the log, no problem. You did the right thing.
=======================================
About Java updates: Java should always be kept updated with the latest update. The updates are put out for security reasons and when outdated versions are still on the system, they are vulnerabilities. Sun has just started overwriting the previous version- if it is numerically the update right before. But otherwise, you will need to remove any outdated versions.
Java(TM) 6 Update 14<<< this is outdated. Remove
Java(TM) 6 Update 31<<<this is the current version. Keep
----------------------------------
And a note: Every logs I see has the Java updater: jusched.exe. I don't use this and I discourage others from using it for 3 reasons:
1. Until recently, Java hasn't been overwriting the previous version. And the update does not remove older versions. I've seen users with as many as 7 outdated versions on the system. Even if they put the current version on, each of the old versions are vulnerabilities.
2. If you use the updating feature in the Control Panel> Java> Update, you have to be careful to uncheck the pre-check items on the download screen before you download or you'll end up with a toolbar, BHO or other something you dont' want.
3. Malware loves to hide under the jusched file name! I think it's safe to check for an update once in a while that it is to have the auto-updated.
=============================================
Please update the Adobe Reader: Adobe Reader Update . The current version is vX(10.xxx). Uninstall the earlier version as it is a vulnerability.
=============================================
About PaintShop Pro: Did you read the information I left about Jasc/PSP being outdated? Support likely isn't available and you won't get updates. There are still processes running under the old names. If you ever decide to update see Corel PaintShop Pro X4 Ultimate.
=============================================
For the Eset entry: Please download OTMovit by Old Timerand save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files
C:\Users\Deb\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\596ddf9a-37a5d6fa 
:Commands
[purity]
[emptytemp]
[emptyjavacache]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============================================
Are you still being redirected? Combofix looks good.

Kactus · May 1, 2012

Hi Bobbye,

Wow, thanks so much for all your advice, I've performed the following

Here is some help to prevent the Tracking Cookies: If you checked for SAS to remove what was found, good. If you did not, go ahead and reset the Cookies, then go back and run SAS again, checking for removal of entries.

I reset the cookiies like you described and then ran SAS again. It found 117 tracking cookies which have been quaranteened and deleted. I'll guess they were all aquired in the past couple of days after my first deletion. I assume the reset instructions you provided will prevent them from now on, or is there something else I need to do as well?

Java(TM) 6 Update 14<<< this is outdated. Remove

I removed Java 6, and while in the process I noticed that I not only have version 31 but also Java 6 update 21(64bit). Should I keep this one as well?

3. Malware loves to hide under the jusched file name! I think it's safe to check for an update once in a while that it is to have the auto-updated.

I don't have a problem manually updating Java if it will keep me out of trouble, I just don't know how to stop the auto-update. Please let me know if you don't mind.

Please update the Adobe Reader: The current version is vX(10.xxx). Uninstall the earlier version as it is a vulnerability.

Done, and there was also a recent patch for the 10.1.3 version that I also downloaded.

About PaintShop Pro

I deleted it and thank you for the link to their latest version. I haven't purchased it yet and will consider.

For the Eset entry

Please see the attached log:

All processes killed
========== FILES ==========
C:\Users\Deb\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\596ddf9a-37a5d6fa moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Deb
->Temp folder emptied: 167756 bytes
->Temporary Internet Files folder emptied: 1502511075 bytes
->Java cache emptied: 645174 bytes
->Flash cache emptied: 147385 bytes

User: deb old
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 9962703 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 608 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 69543 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,443.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 05012012_201314
Files moved on Reboot...
C:\Users\Deb\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
Registry entries deleted on Reboot...

Are you still being redirected? Combofix looks good.

I'm not being redirected anymore in Google, however now other things are acting pretty squirrely. If I put a search term into google and hit my enter button or the search button on googles page nothing happens. I've found that the only way it will do a search is if I hit my refresh button on my IE toolbar. And yesterday after logging into my hotmail account the upper portion of the page where the toolbar is was a partial duplicate of the email listing that was in the lower portion. And if that's not enough the Google tab I have open at the moment is locked up and won't close, so, I'm going to try to reboot and see if that does anything. I can't tell you how much I appreciate your help, I'd be in deep mud right now without you.

Kactus · May 1, 2012

Hi Bobbye,

Wow, thanks so much for all your advice, I've performed the following

Here is some help to prevent the Tracking Cookies: If you checked for SAS to remove what was found, good. If you did not, go ahead and reset the Cookies, then go back and run SAS again, checking for removal of entries.

I reset the cookiies like you described and then ran SAS again. It found 117 tracking cookies which have been quaranteened and deleted. I'll guess they were all aquired in the past couple of days after my first deletion. I assume the reset instructions you provided will prevent them from now on, or is there something else I need to do as well?

Java(TM) 6 Update 14<<< this is outdated. Remove

I removed Java 6, and while in the process I noticed that I not only have version 31 but also Java 6 update 21(64bit). Should I keep this one as well?

3. Malware loves to hide under the jusched file name! I think it's safe to check for an update once in a while that it is to have the auto-updated.

I don't have a problem manually updating Java if it will keep me out of trouble, I just don't know how to stop the auto-update. Please let me know if you don't mind.

Please update the Adobe Reader: . The current version is vX(10.xxx). Uninstall the earlier version as it is a vulnerability.

Done, and there was also a recent patch for the 10.1.3 version that I also downloaded.

About PaintShop Pro

I deleted it and thank you for the link to their latest version. I haven't purchased it yet and will consider.

For the Eset entry

Please see the attached log:

All processes killed
========== FILES ==========
C:\Users\Deb\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\596ddf9a-37a5d6fa moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Deb
->Temp folder emptied: 167756 bytes
->Temporary Internet Files folder emptied: 1502511075 bytes
->Java cache emptied: 645174 bytes
->Flash cache emptied: 147385 bytes

User: deb old
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 9962703 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 608 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 69543 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,443.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 05012012_201314
Files moved on Reboot...
C:\Users\Deb\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
Registry entries deleted on Reboot...

Are you still being redirected? Combofix looks good.

I'm not being redirected anymore in Google, however now other things are acting pretty squirrely. If I put a search term into google and hit my enter button or the search button on googles page nothing happens. I've found that the only way it will do a search is if I hit my refresh button on my IE toolbar. And yesterday after logging into my hotmail account the upper portion of the page where the toolbar is was a partial duplicate of the email listing that was in the lower portion. And if that's not enough the Google tab I have open at the moment is locked up and won't close, so, I'm going to try to reboot and see if that does anything. I can't tell you how much I appreciate your help, I'd be in deep mud right now without you.

This is an update: I just rebooted and google is still acting up. I put in a search term and hit my enter button. Nothing happens. I hit the search button on their page and nothing. I hit refresh and it will perform the search. Then if I enter a different search term and hit my enter button nothing, then when I hit refresh it took me back to the previous search term. I have to also hit their search button on their page and then hit refresh for it to perform a new search. This is all an entirely new problem that started yesterday. Geeze or pete

Bobbye · May 2, 2012

Okay, let's go down the list first:
1. Java 6 update 21(64bit).<<< Delete. Only keep the most current version at any time.
2. From OTM: Total Files Cleaned = 1,443.00 mb Way too mny excess files to be carryinng around. Set up a maintenance program to regularly delete temporary internet files and Cookies, disc cleanup, Error Check, Defrag.
3. Your last 2 paragraphs above are related to the system: Not enough RAM/Ram chip gone bad.-or-Problem with graphics card/may need driver update.
At one point, your system showed System Uptime: 4/29/2012 8:08:39 AM (2 hours ago). If this is happening soon after rebooting, it's probably the graphics card. If it happens after you're been up for a while, it's probably RAM. And there is a possibiity that it could be both.
4. Most Tracking Cookies aare embedded in ads or banners. These are 3rd party Cookies. But some site may have a very lax Privacy Policy and for their own reasons, may track you to get information. Help for this is to use a Site Advisor. A good one will warn about site reported to have bad reputations and one rating is this policy. I use and recommend
The Web of Trust (WOT) This rates on Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.
5. It's important ot check the installed programs once in a while and uninsll what you aren't using. For instance:
Are you using all of these? (Sorry- the quote box is missing!)
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software>>Do you use Dell Support?
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide>> After 2 years, you probably already have the system set up!
-----------------------------------------
Are you getting Remote Support?
GoToAssist Corporate> Remote-Support Platform For Your Organization. Free 30-Day Trial!
------------------------------------------
3 entries for this- any overlap here?
WildTangent Games
WildTangent Games App
WildTangent Games App (Dell Games)

Kactus · May 2, 2012

Hi Bobby,

I'll answer as best I can beginning at the top.
1. I deleted the Java 21
2. My task manager was already set up to defrag weekly. I just set up the disc cleanup to run weekly as well.
I'm not sure how to set up cleaning up temp internet files or cookies. I'm using IE8. Should I upgrade to IE9?
3. The problem with google not searching when I hit the enter or search button only started after trying to solve for the redirects. I respect your knowledge more than you know, though it would be quite the coincindence that my graphic card or Ram started failing after following your help advice. Is there anything else that could cause this problem besides a hardware failure.
4. I'm going to download the WOT program, that should help me out a ton and keep me out of this same mess again.
5. As far as I know I am not using any of those Dell programs, is it ok to uninstall them?. As for thier support, they helped me about a year ago, I had to pay for it, because the computer would not come out of sleep mode unless I hit the off button located on the tower. Not sure what they did but it worked and my computer awoke as it did when I first got it. When you say "GoToAssist Corporate> Remote-Support Platform For Your Organization. Free 30-Day Trial!" I don't know where that is, couldn't find it anywhere.

All of those games came installed on my computer when I bought it and I haven't added any others so I'm not sure if the ones you listed above are overlap of each other or not.

As you can tell I'm not real computer savvy when it comes to this stuff, all the more reason why I appreciate you and your help and any and all advice you offer.

Kactus · May 2, 2012

Hi Bobbye,

I noticed that the google page even looks a bit different now as well. There's a large space at the top that wasn't there before. I uploaded a snippet picture of it so you can see what I mean since it's not always easy to describe.
Thanks!

Kactus · May 3, 2012

I tried rebooting a couple of times to see if that would make a difference and each time I rebooted a box came up saying a jasc file wasn't found. I uploaded a copy for your viewing since I have no idea what it means. Thanks

Bobbye · May 3, 2012

Here are some How To and Where to find

Cleaning temp files:

1. Use TFC (Temp File Cleaner) occasionally:
Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

or
2. Control Panel (or Tools in IE)> Internet Options> General tab> Temporary Internet Files> Delete TIF and/or Cookies from here> then Settings> For 'check for newer versions> Click on 'Never'> For amount of disk space to use> Slider can be moved all the way to the left or anywhere in between (The more space, the more TIF that will 'collect)> Click on OK> Apply> OK to close.
You can also set # of days to save TIF in History. Again, the more days, the more TIF that will collect. I have 3 days set,

System Maintenance
Open Windows Explorer (Right click on Start> Explore> Click on Computer> Right click on Local Drive(C)> Properties> General tab> Disc Cleanup.

Same path to Properties> Tools tab> Error Check and Defrag are each available from here. These can be done monthly.

Note Cleaning the temporary internet files frequency is based on usage. The more you use the system, the more often to clean. Normal use should be okay to do once a week.
========================================
The Google image looks okay to me. If you have an ad blocker, the 'white space' may be a blocked ad.
-------------------------------------------------
Remember, you uninstalled the Jasc program. But if must still be on Startup, so when you reboot, system is looking for the program but can't find it.
Look for anything related to this checked on the Startup Menu using msconfig: Any Jasc or nhxvobcb.dll and uncheck them.

Click on the Windows 7 start icon in the bottom left corner of your screen.
Type MSCONFIG in the search box> press enter or double-click on the MSCONFIG program that appears in the search results.
Click on Selective Startup
Click on the Startup tab. You will now see the System Msconfig Utility

Windows 7 loads almost all of Windows' essential programs are loaded through Windows Services. So most of the startup items you see here are optional and can be turned off.
Important! When in doubt, leave it on-or- use a Startup database to identify a process you are not sure of.
Uncheck any process you don't want to start on boot.
When finished> click on OK
Reboot the computer.
When you see this message come up: Check 'don't show this message again'> then Restart.

Images courtesy NetSquirrel

The only processes that need to start on boot are the antivirus program, third party firewall if you have one, touchpad if on laptop and network processes if using third party software for network. Any other entries in this section can be Unchecked.

This does not remove a process or program- it can still be accessed when needed through All Programs. And you can go back at a later time and reset the default programs if needed.

I've got to leave for a while- I'll check bck with you later this afternoon.

Kactus · May 3, 2012

Hi Bobbye, Here's what I did:

1. First thing I did was go into the msconfig file to see if the jasc program was there. I found it and unchecked it. Then I hit APPLY and the System Config box you have pasted above came up. I then hit restart. When the computer was coming back on I knew something was wierd cause it was taking forever. It finally opened with a black screen and just the recycle bin in the upper left corner. I clicked on Start and typed in msconfig but it wouldn't do anything and there were no programs showing. In fact nothing was showing on the entire right hand side. So, I clicked on Control Panel and was able to figure out how to do a system restore. I restored the computer to the time just before I removed the jasc. Then rebooted. The computer booted back fine and then I checked the msconfig again. I noticed the jasc was now gone and thought hmmmm, that's funny.

Next I followed your system maintenance instructions and cleaned the disc.
Then I cleaned all Temp Internet Files through IE's tools and set the history down to 3 days.

Next I downloaded TFC and when I clicked on it to run it ,it seemed to lock up my computer, so then I tried to reboot and a tfc file system error message came up that I attached for you to see.. Then clicked ok and clicked on the TFC program again. This time it opened up and I was able to run it like you suggested.

Then the computer rebooted and when it came back that Jasc message was there again. So, again I went into msconfig and it was there again. Now I was kinda leary of unchecking it again but I did, and then I made sure I clicked on OK and not APPLY. Rebooted and the message never came back, YEAH.

I then tried to do a search on google again and still same-o same-0. However one thing I noticed is at the bottom left hand corner of the google page after I hit my enter key or the pages search key it says Error on Page and there's a little yellow triangle next to it. I just think somethings up with this since I'm not having trouble searching on any other search engines and this google problem only started after fixing the malaware/virus problems. So, any help would sure be appreciated. Thanks!

Kactus · May 4, 2012

Hi Bobbye, I just thought I'd give you an update. A couple of hours ago I went on my computer, tried to come to this site and it wouldn't let me, acted as if your site was down or something cause couldn't connect. So I went and tried to go to google and it was acting kind of slow and IE locked up. I ended up closing the window and then tried opening IE again. It asked if I wanted to restore the link and I clicked yes. So when google opened I put in a search term, hit my enter key and WALLA, it worked. Tried it again and again and now it's working good again. YEAH! Then I tried your site and it connected no problem. So I don't know what the heck happened but that cootie is gone

Bobbye · May 4, 2012

So you had an assortment of glitches, ghosties and gremlins- oh my! Could have been a combination of your system and the sites- or possibly just one or the other. You weren't specific about some of the error messages> For instance "error on site" can usually be identified if you hover the mouse cursor over the error icon. If that doesn't show you, try doing a right click on the icon.

It is interesting though that the problems seem to resolve after a reboot. Please check to see how much RAM is installed:
Click on Start> Control Panel> System. On the General Properties tab, you should see the amount of RAM installed. Please let me know what that is.

Some problems could have been caused by:

2. From OTM: Total Files Cleaned = 1,443.00 mb Way too many excess files to be carrying around.

I don't know what the Jasc problem was. But since you did the system restore, we need to repeat this scan:

Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:

Click on OK to close box and continue.
Click on the Show Results button.
Click on the Remove Selected button to remove all the listed malware.
At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

------------------------------------
Then let's run this:
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis and save to your desktop.

Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
Extract it to the directory on your hard drive you created C:\HijackThis.
Then navigate to that directory and double-click on the hijackthis.exe file.
When started click on the Scan button and then the Save Log button to create a log of your information.
The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Kactus · May 5, 2012

Hi Bobbye, Below are the results of your request.

1. Installed Ram: 6.00 GB (5.80 useable)

2. MBAM Scan

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.05.06
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Deb :: DEB-PC [administrator]
5/5/2012 10:07:37 AM
mbam-log-2012-05-05 (10-07-37).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 460947
Time elapsed: 1 hour(s), 45 minute(s), 52 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
One thing to let you know about this was the virus that was found when I ran this the first time for you was of course quarateened but not deleted (Exploit.drop) So I deleted it, hope this is ok, was worried about it getting loose or something.

3. Hijack This log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:27:42 PM, on 5/5/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Deb\AppData\Local\Temp\Temp1_HijackThis.zip\HijackThis.exe
C:\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120424174912.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} (20-20 3D Viewer for IKEA) - http://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_Win32.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~2\mcafee\msc\mcsniepl.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files (x86)\Canon\CAL\CALMAIN.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\mcafee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Dell DataSafe Online (NOBU) - Dell, Inc. - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 11359 bytes
One thing to note about this was when I started the program a note came up that I uploaded for your veiwing, I just clicked OK and then it started it's scan. And the box with the list of the hijack this scan is still open on my desktop and I have not checked anything for it to fix. Thanks

I was also wondering something, since I'm using McAfee and I got all these problems I'm wondering if I shouldn't be using a better security systems such as Kapersky, Bitdefender or Norton or ??? What do you suggest or use yourself? Thanks

Bobbye · May 5, 2012

The Exploit.drop processes are usually in the Java cache and usually due to havin an outdated version of Jva on the system.

My preferences for security are to use free-standing programs, not suites. Over time, I have found that many/most of the suites come padded with processes I don't need or use. The one I usually pay for is the Eset Node32 antivirus. This isn' just the online scan-it's Real Time protection that so far, has kept me safe. I use the Windows Firewall, but main firewall is hardware firewall found in the rounter.

I've included antispyware suchs Spywareblaster, Spybot Search amd Destroy as residents. I also use a couple of utilities to help with cleaning.
=============================================
Let's get a better look at 3the security in the system:

Remove Webroot

[1] Scroll down to Remove Webroot and click on this word Remove.
[2] Download SSECleanup.zip ans save to a known location on your computer such as the desktop.

Before running the tool, do this:

[3] Once downloaded open the folder SSECleanup.zip then double-click the file SSECleanup.exe in the folder SSECleanup.zip.
[4] A Window will pop up- wait until the window closes itself.
[5] Once the window closes Webroot Spysweeper will be removed from the computer.

To stop the service, Start > Run> type "Services.msc"> find each of the following Services> double-click on each> change the Startup type to Disabled> Stop the Service:
WebrootSpySweeperService
WRConsumerService

Reboot into Normal Mode
Look through the list of services for any associated with Webroot Spysweeper and disable them. Reboot, then remove all traces of Spysweeper, including registry entries.

Go to the program start menu folder and you will find an entry titled "uninstall spysweeper', use that, if you can't find that go c:\program files\webroot\spy sweeper\unins000.exe and execute it. Shut spy sweeper down first.

Kactus · May 7, 2012

Hi Bobbye, Well, I may be in over my head on your last instructions or I'm doing something wrong. I downloaded SSE Cleanup to my desktop. Then right clicked on the zip file and said Extract. Explorer opened and I double clicked on the SSE cleanup. exe file (the only file showing) and a window popped up that asked me if I wanted to run the program. I let is sit around 4 minutes or so and it didn't go away so I said cancel . I uploaded a picture of what I saw so you can let me know what I did wrong or did I not wait long enough.

Then if I get past this your next instructions say IF I want to stop the service to the following and then reboot. My questions is do I really want to stop the service, heck, I don't know if I want to or not since I have no idea what I'm doing. Then after I reboot I'm to look over the list of services for any thing associated with Webroot and disable them. How do I look over the services? Where will this list be? I'm sorry, I wish I understood all this stuff better. Thanks

Bobbye · May 7, 2012

You're making something that is easy, difficult. Okay to Run on the Security Warning.
Okay to stop the Webroot Services if still on system after uninstall.

Kactus · May 8, 2012

Hi Bobbye, I'm sorry for my ignorance, I'm just trying to understand what I'm about to do so I don't mess up. Am I trying to run or remove Webroot Spysweeper by running SSE cleanup.exe? Please bear with me, this is all new stuff and not as simple as your previous instructions. Thanks

Bobbye · May 8, 2012

[size=4You told me that you didn't know you had SpySepper on the system. although it has been active for several years. Having this running while you are doing the scans may cause a problem with the other scans.

[1] Scroll down to Remove Webroot and click on this word Remove.
[2] Download SSECleanup.zip ans save to a known location on your computer such as the desktop.

Before running the tool, do this:
[3] Once downloaded open the folder SSECleanup.zip then double-click the file SSECleanup.exe in the folder SSECleanup.zip.
[4] A Window will pop up- wait until the window closes itself.
[5] Once the window closes Webroot Spysweeper will be removed from the computer.[/list]

To stop the service, Start > Run> type "Services.msc"> find each of the following Services> double-click on each> change the Startup type to Disabled> Stop the Service:
WebrootSpySweeperService
WRConsumerService

Reboot into Normal Mode
Look through the list of services for any associated with Webroot Spysweeper and disable them. Reboot, then remove all traces of Spysweeper, including registry entries.[/size]

Go to the program start menu folder and you will find an entry titled "uninstall spysweeper', use that, if you can't find that go c:\program files\webroot\spy sweeper\unins000.exe and execute it. Shut spy sweeper down first.

Kactus · May 11, 2012

Hi Bobbye, Sorry I didn't get back to you yesterday but got a chance today to finally run the SSE Cleanup exe program and then went into the Services file to look for the webrootspysweeper service. But I didn't find anything like this in that file. So I rebooted and looked in services again and still no webroot spysweeper. I then went into my c:|program files and didn't see anything in there either. So I'm guessing it must be gone??? Thanks and hope you're having a great day!

Bobbye · May 11, 2012

You can uninstall any of the programs I asked you about if you don't use them. For any program you uninstall, use Windows Explorer (Right click on Start> Explore) to access Computer> Local Drive(C)> Programs> Find program folder for each of those programs and do a Right click> Delete.

GoToAssist Corporate is listed in the installed programs. Okay to uninstall.

I am a bit uncertain about the 'redirect' you are describing. Typical description of a redirect is: Enter a search in the search engine box> Search> Choose (Click) on of the hits (sites). Instead of the site you choose coming up, a different site loads, usually for 'search something', an ad site or something totally unrelated for what you re looking for.

Is that what's happening?

Which browser are you using when this happens? Does it happen on all searched with this browser?

The logs look good.

Kactus · May 12, 2012

Typical description of a redirect is: Enter a search in the search engine box> Search> Choose (Click) on of the hits (sites). Instead of the site you choose coming up, a different site loads, usually for 'search something', an ad site or something totally unrelated for what you re looking for.

Is that what's happening?

Hi Bobbye, Yes, that is exactly what was happening and I am using IE8. However now since I've been working with you on all your instructions it has not been a problem any longer. It looks like you fixed me with all the programs you had me download to my desktop and your expertise

.

Solved Redirect on Google searches

Posts: 52 +0

Posts: 52 +0

Posts: 16,313 +36

Posts: 16,313 +36

Posts: 52 +0

Posts: 16,313 +36

Posts: 52 +0

Posts: 52 +0

Posts: 16,313 +36

Posts: 52 +0

Posts: 52 +0

Attachments

Posts: 52 +0

Attachments

Posts: 16,313 +36

Posts: 52 +0

Attachments

Posts: 52 +0

Posts: 16,313 +36

Posts: 52 +0

Attachments

Posts: 16,313 +36

Posts: 52 +0

Attachments

Posts: 16,313 +36

Posts: 52 +0

Posts: 16,313 +36

Posts: 52 +0

Posts: 16,313 +36

Posts: 52 +0

Similar threads