erbishop

I was able to fix it myself...no worries. Never have revisited thechive.com website where i picked it up both times. Thanks,

Redirect still active in Firefox browser please advise.

cnet_myibay-setup_exe.exe;C:\Documents and Settings\Reception\My Documents;Adware.InstallCore.2;; dds.scr;C:\Documents and Settings\Reception\My Documents\Downloads;Trojan.MulDrop3.6866;Incurable.Moved.; What is the OTL log?

I see your response now...thread was not showing properly for some reason.

I don't see my post about not wanting to use ie. Anyway, i posted earlier about being hesitant to use ie for anything. I actually had deleted it, but it reappeared at some point during our fixes; i would prefer to just delete it again. Anything else besides a program that users ie?

i would prefer not to use internet explorer. Seems like something bad happens every time its open. I had deleted it, but during the course of some of these repairs it appears to be back (an old version). I would rather delete the program then use it again. Anything else we can do instead. Have a good weekend

everything seems to be in order. Do i need to perform any additional diagnostics on the computer? thanks so much for your help.

Awesome! How come we couldn't find these to begin with?

Status: Deleted (events: 2) 11/30/2011 4:18:26 PM Deleted Trojan program Trojan.Win32.Searches.adj C:\System Volume Information\_restore{796C785C-9BA7-4A7A-9E47-006AAD54BD0A}\RP316\A0042053.dll High 11/30/2011 4:18:26 PM Deleted Trojan program Trojan.Win32.Searches.adj C:\System Volume Information\_restore{796C785C-9BA7-4A7A-9E47-006AAD54BD0A}\RP316\A0042053.dll//DoomPack High

after the last combofix i haven't been able to reproduce the redirect problem

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software Run date: 2011-11-29 16:30:10 ----------------------------- 16:30:10.625 OS Version: Windows 5.1.2600 Service Pack 3 16:30:10.625 Number of processors: 2 586 0x403 16:30:10.625 ComputerName: FRONT-DESK-PC UserName: Reception 16:30:11.781 Initialize success 16:30:15.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e 16:30:15.468 Disk 0 Vendor: ST380819AS 8.03 Size: 76293MB BusType: 3 16:30:17.500 Disk 0 MBR read successfully 16:30:17.500 Disk 0 MBR scan 16:30:17.500 Disk 0 Windows XP default MBR code 16:30:17.500 Disk 0 scanning sectors +156232125 16:30:17.578 Disk 0 scanning C:\WINDOWS\system32\drivers 16:30:22.000 Service scanning 16:30:23.000 Modules scanning 16:30:25.718 Disk 0 trace - called modules: 16:30:25.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 16:30:25.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86560ab8] 16:30:25.750 3 CLASSPNP.SYS[f75fefd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x865e7590] 16:30:25.750 Scan finished successfully 16:30:43.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Reception\Desktop\MBR.dat" 16:30:43.484 The log file has been saved successfully to "C:\Documents and Settings\Reception\Desktop\aswMBR.txt"

ComboFix 11-11-29.04 - Reception 11/29/2011 16:13:40.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.582 [GMT -5:00] Running from: c:\documents and settings\Reception\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Reception\Desktop\CFScript.txt . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Reception\Application Data\Azureus c:\documents and settings\Reception\Application Data\Azureus\.certs c:\documents and settings\Reception\Application Data\Azureus\.keystore c:\documents and settings\Reception\Application Data\Azureus\.lock c:\documents and settings\Reception\Application Data\Azureus\active\cache.dat c:\documents and settings\Reception\Application Data\Azureus\azureus.config c:\documents and settings\Reception\Application Data\Azureus\azureus.config.bak c:\documents and settings\Reception\Application Data\Azureus\azureus.statistics c:\documents and settings\Reception\Application Data\Azureus\azureus.statistics.bak c:\documents and settings\Reception\Application Data\Azureus\devices.config c:\documents and settings\Reception\Application Data\Azureus\devices.config.bak c:\documents and settings\Reception\Application Data\Azureus\dht\addresses.dat c:\documents and settings\Reception\Application Data\Azureus\dht\contacts.dat c:\documents and settings\Reception\Application Data\Azureus\dht\diverse.dat c:\documents and settings\Reception\Application Data\Azureus\dht\general.dat c:\documents and settings\Reception\Application Data\Azureus\downloads.config c:\documents and settings\Reception\Application Data\Azureus\downloads.config.bak c:\documents and settings\Reception\Application Data\Azureus\ipfilter.cache c:\documents and settings\Reception\Application Data\Azureus\logs\debug_1.log c:\documents and settings\Reception\Application Data\Azureus\logs\Plugin Update_1.log c:\documents and settings\Reception\Application Data\Azureus\logs\UPnP_1.log c:\documents and settings\Reception\Application Data\Azureus\metasearch.config c:\documents and settings\Reception\Application Data\Azureus\metasearch.config.bak c:\documents and settings\Reception\Application Data\Azureus\net\pm_22773.dat c:\documents and settings\Reception\Application Data\Azureus\net\pm_default.dat c:\documents and settings\Reception\Application Data\Azureus\plugins\aefeatman_v\aefeatman_v_1.2.jar c:\documents and settings\Reception\Application Data\Azureus\plugins\aefeatman_v\aefeatman_v_1.2.zip c:\documents and settings\Reception\Application Data\Azureus\plugins\aefeatman_v\plugin.properties c:\documents and settings\Reception\Application Data\Azureus\plugins\aefeatman_v\plugin.properties_1.2 c:\documents and settings\Reception\Application Data\Azureus\plugins\azupnpav\cd.dat c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\azutp_0.2.8.jar c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\azutp_0.2.8.zip c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\azutp_0.2.9.jar c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\azutp_0.2.9.zip c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\plugin.properties c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\plugin.properties_0.2.9 c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\plugin_install.properties c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\plugin_install.properties_0.2.9 c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\win32\LICENSE c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\win32\LICENSE.bak c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\win32\msvcr100.dll c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\win32\msvcr100.dll.bak c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\win32\utp.dll c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\win32\utp.dll.bak c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\x64\LICENSE c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\x64\LICENSE.bak c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\x64\msvcr100.dll c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\x64\msvcr100.dll.bak c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\x64\utp.dll c:\documents and settings\Reception\Application Data\Azureus\plugins\azutp\x64\utp.dll.bak c:\documents and settings\Reception\Application Data\Azureus\sidebarauto.config c:\documents and settings\Reception\Application Data\Azureus\sidebarauto.config.bak c:\documents and settings\Reception\Application Data\Azureus\tables.config c:\documents and settings\Reception\Application Data\Azureus\tables.config.bak c:\documents and settings\Reception\Application Data\Azureus\tmp\AZU3267646735246781106.tmp c:\documents and settings\Reception\Application Data\Azureus\tmp\AZU4518990992366965161.tmp c:\documents and settings\Reception\Application Data\Azureus\tmp\AZU5247856705134621498.tmp c:\documents and settings\Reception\Application Data\Azureus\tmp\AZU6821208663899404670.tmp c:\documents and settings\Reception\Application Data\Azureus\tmp\AZU8263234504057347564.tmp c:\documents and settings\Reception\Application Data\Azureus\tmp\AZU979599444215951439.tmp c:\documents and settings\Reception\Application Data\Azureus\VuzeActivities.config c:\documents and settings\Reception\Application Data\Azureus\VuzeActivities.config.bak c:\documents and settings\Reception\Local Settings\Application Data\Conduit c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\AppNotification.js c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\close.png c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\like.png c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\Next.png c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\Next_hover.png c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\powered-by.png c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\Prev.png c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\Prev_hover.png c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\settings.png c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\Thumbs.db c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\initialNotification.html c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\main.html c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\NotificationDialogStyle.css c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\NotificationDialogStyleIE9.css c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\sampleNotification.html c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\DialogsAPI.js c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\PIE.htc c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\settings.js c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\version.txt c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Feeds\http___alerts_conduit-services_com_root_897164_892962_US.xml c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\Feeds\http___alerts_conduit-services_com_root_909619_905414_US.xml c:\documents and settings\Reception\Local Settings\Application Data\Conduit\Community Alerts\LanguagePacks\en.xml c:\windows\system32\usmt\migwiz_a.exe . . ((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-29 ))))))))))))))))))))))))))))))) . . 2011-11-17 22:45 . 2011-11-17 22:47 -------- d-----w- c:\documents and settings\Reception\Application Data\DivX 2011-11-17 22:43 . 2011-11-17 22:45 -------- d-----w- c:\program files\DivX 2011-11-17 22:43 . 2011-11-17 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2011-11-11 19:33 . 2011-11-16 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2011-11-11 19:33 . 2011-11-11 19:33 -------- d-----w- c:\program files\Common Files\iS3 2011-11-11 16:53 . 2011-11-16 15:59 -------- d-----w- c:\program files\Free Internet Window Washer 2011-11-11 13:07 . 2011-09-05 13:56 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-11-11 13:07 . 2011-09-05 13:56 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll 2011-11-08 13:17 . 2011-11-08 13:17 -------- d-----w- c:\program files\Starpoint Software 2011-11-01 18:26 . 2011-04-29 19:07 852480 -c--a-w- c:\windows\system32\dllcache\vgx.dll 2011-10-31 20:53 . 2011-10-31 20:53 -------- d-----w- c:\documents and settings\Reception\.swt . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll 2011-10-10 14:22 . 2007-07-30 19:32 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-27 20:09 . 2011-09-01 13:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-09-05 13:56 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll 2011-09-05 13:56 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-09-05 12:35 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec 2011-11-11 13:03 . 2011-10-31 21:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-17 4617600] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-20 149280] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376] . c:\documents and settings\Reception\Start Menu\Programs\Startup\ Launch Utility Application.lnk - c:\documents and settings\Reception\Application Data\Verizon\UA_ar\UtilityApplication.exe [2011-3-22 547840] OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd] 2006-03-24 03:13 77824 ----a-w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2006-03-24 03:17 118784 ----a-w- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2006-03-24 03:17 94208 ----a-w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] 2004-10-14 21:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Google\\Google Earth Pro\\googleearth.exe"= . R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664] R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608] R2 FMAuditOnsite;FMAudit Onsite;c:\program files\FMAuditOnsite\fmaonsite.exe [11/16/2011 5:56 PM 54864] R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [7/5/2011 7:21 AM 91456] S1 MpKsl4379156b;MpKsl4379156b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B57ECADF-0654-4BC1-BD0A-53E78D8D2553}\MpKsl4379156b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B57ECADF-0654-4BC1-BD0A-53E78D8D2553}\MpKsl4379156b.sys [?] S1 MpKsl59b9c265;MpKsl59b9c265;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B605622E-1DF1-455E-9351-2E1880A224E0}\MpKsl59b9c265.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B605622E-1DF1-455E-9351-2E1880A224E0}\MpKsl59b9c265.sys [?] S1 MpKsl7f95f8f5;MpKsl7f95f8f5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF8FA3BF-18A9-44A0-8C0C-99DA5AB21A23}\MpKsl7f95f8f5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF8FA3BF-18A9-44A0-8C0C-99DA5AB21A23}\MpKsl7f95f8f5.sys [?] S1 MpKsla16c7311;MpKsla16c7311;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7F4BEF5A-C8B3-4A58-828D-AE3473A652C0}\MpKsla16c7311.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7F4BEF5A-C8B3-4A58-828D-AE3473A652C0}\MpKsla16c7311.sys [?] S2 FileOpenManagerSvc;FileOpenManagerSvc;c:\documents and settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe [3/9/2011 5:02 PM 212352] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2011 11:10 AM 136176] S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [8/24/2011 10:17 AM 30312] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2011 11:10 AM 136176] S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [8/24/2011 10:17 AM 121192] S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [8/24/2011 10:17 AM 12776] S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [8/24/2011 10:17 AM 136680] S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [8/24/2011 10:18 AM 114152] . --- Other Services/Drivers In Memory --- . *Deregistered* - FileOpenWebPublisherScreenHookDriver . Contents of the 'Scheduled Tasks' folder . 2011-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc24512fa0e2d6.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 16:10] . 2011-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc24513002a340.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 16:10] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 184.168.39.1 68.105.28.16 68.10.16.245 DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://games.king.com/ctl/kingcomie.cab FF - ProfilePath - c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: network.proxy.type - 0 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-29 16:19 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*] "value"="?\0a\01\1f\145\1bT" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(652) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\Ati2evxx.dll . Completion time: 2011-11-29 16:20:34 ComboFix-quarantined-files.txt 2011-11-29 21:20 ComboFix2.txt 2011-11-28 20:18 . Pre-Run: 47,273,504,768 bytes free Post-Run: 47,258,046,464 bytes free . - - End Of File - - 655829EE6978CDE66586CCD1EE8E86B4

ComboFix 11-11-28.02 - Reception 11/28/2011 15:12:44.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.512 [GMT -5:00] Running from: c:\documents and settings\Reception\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\accounting\Application Data\alot c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{944ae395-0a57-4ef4-828f-e615c034c589} c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{944ae395-0a57-4ef4-828f-e615c034c589}\chrome.manifest c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{944ae395-0a57-4ef4-828f-e615c034c589}\chrome\xulcache.jar c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{944ae395-0a57-4ef4-828f-e615c034c589}\defaults\preferences\xulcache.js c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{944ae395-0a57-4ef4-828f-e615c034c589}\install.rdf c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{f978a793-7fa2-4ad1-812e-d06b4202ca0a} c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{f978a793-7fa2-4ad1-812e-d06b4202ca0a}\chrome.manifest c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{f978a793-7fa2-4ad1-812e-d06b4202ca0a}\chrome\xulcache.jar c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{f978a793-7fa2-4ad1-812e-d06b4202ca0a}\defaults\preferences\xulcache.js c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\extensions\{f978a793-7fa2-4ad1-812e-d06b4202ca0a}\install.rdf c:\documents and settings\Reception\jiwyjmgobz.tmp c:\windows\iun6002.exe c:\windows\system32\spool\prtprocs\w32x86\xpdpp.dll . . ((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 ))))))))))))))))))))))))))))))) . . 2011-11-17 22:45 . 2011-11-17 22:47 -------- d-----w- c:\documents and settings\Reception\Application Data\DivX 2011-11-17 22:43 . 2011-11-17 22:45 -------- d-----w- c:\program files\DivX 2011-11-17 22:43 . 2011-11-17 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2011-11-11 19:33 . 2011-11-16 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2011-11-11 19:33 . 2011-11-11 19:33 -------- d-----w- c:\program files\Common Files\iS3 2011-11-11 16:53 . 2011-11-16 15:59 -------- d-----w- c:\program files\Free Internet Window Washer 2011-11-11 13:07 . 2011-09-05 13:56 81920 ----a-w- c:\windows\system32\ieencode.dll 2011-11-11 13:07 . 2011-09-05 13:56 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll 2011-11-08 13:17 . 2011-11-08 13:17 -------- d-----w- c:\program files\Starpoint Software 2011-11-01 18:26 . 2011-04-29 19:07 852480 -c--a-w- c:\windows\system32\dllcache\vgx.dll 2011-10-31 20:53 . 2011-10-31 20:53 -------- d-----w- c:\documents and settings\Reception\.swt 2011-10-31 20:53 . 2011-11-17 22:02 -------- d-----w- c:\documents and settings\Reception\Application Data\Azureus 2011-10-31 20:52 . 2011-10-31 21:31 -------- d-----w- c:\documents and settings\Reception\Local Settings\Application Data\Conduit . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll 2011-10-10 14:22 . 2007-07-30 19:32 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-27 20:09 . 2011-09-01 13:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 15:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 15:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-09-05 13:56 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll 2011-09-05 13:56 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx 2011-09-05 12:35 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec 2011-08-31 21:00 . 2011-03-12 15:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-11 13:03 . 2011-10-31 21:49 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-17 4617600] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-20 149280] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376] . c:\documents and settings\Reception\Start Menu\Programs\Startup\ Launch Utility Application.lnk - c:\documents and settings\Reception\Application Data\Verizon\UA_ar\UtilityApplication.exe [2011-3-22 547840] OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd] 2006-03-24 03:13 77824 ----a-w- c:\windows\system32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2006-03-24 03:17 118784 ----a-w- c:\windows\system32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2006-03-24 03:17 94208 ----a-w- c:\windows\system32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] 2004-10-14 21:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Google\\Google Earth Pro\\googleearth.exe"= . R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664] R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608] R2 FMAuditOnsite;FMAudit Onsite;c:\program files\FMAuditOnsite\fmaonsite.exe [11/16/2011 5:56 PM 54864] R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [7/5/2011 7:21 AM 91456] S1 MpKsl4379156b;MpKsl4379156b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B57ECADF-0654-4BC1-BD0A-53E78D8D2553}\MpKsl4379156b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B57ECADF-0654-4BC1-BD0A-53E78D8D2553}\MpKsl4379156b.sys [?] S1 MpKsl59b9c265;MpKsl59b9c265;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B605622E-1DF1-455E-9351-2E1880A224E0}\MpKsl59b9c265.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B605622E-1DF1-455E-9351-2E1880A224E0}\MpKsl59b9c265.sys [?] S1 MpKsl7f95f8f5;MpKsl7f95f8f5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF8FA3BF-18A9-44A0-8C0C-99DA5AB21A23}\MpKsl7f95f8f5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF8FA3BF-18A9-44A0-8C0C-99DA5AB21A23}\MpKsl7f95f8f5.sys [?] S1 MpKsla16c7311;MpKsla16c7311;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7F4BEF5A-C8B3-4A58-828D-AE3473A652C0}\MpKsla16c7311.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7F4BEF5A-C8B3-4A58-828D-AE3473A652C0}\MpKsla16c7311.sys [?] S2 FileOpenManagerSvc;FileOpenManagerSvc;c:\documents and settings\All Users\Application Data\FileOpen\Services\FileOpenManagerSvc32.exe [3/9/2011 5:02 PM 212352] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2011 11:10 AM 136176] S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [8/24/2011 10:17 AM 30312] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2011 11:10 AM 136176] S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [8/24/2011 10:17 AM 121192] S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [8/24/2011 10:17 AM 12776] S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [8/24/2011 10:17 AM 136680] S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [8/24/2011 10:18 AM 114152] . --- Other Services/Drivers In Memory --- . *Deregistered* - FileOpenWebPublisherScreenHookDriver . Contents of the 'Scheduled Tasks' folder . 2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc24512fa0e2d6.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 16:10] . 2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc24513002a340.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 16:10] . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2504091 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 184.168.39.1 68.105.28.16 68.10.16.245 DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://games.king.com/ctl/kingcomie.cab FF - ProfilePath - c:\documents and settings\Reception\Application Data\Mozilla\Firefox\Profiles\m1s1x1jp.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: network.proxy.type - 0 . . ------- File Associations ------- . .txt= . - - - - ORPHANS REMOVED - - - - . Notify-TPSvc - TPSvc.dll AddRemove-Speccy - E:\uninst.exe AddRemove-Starpoint Software Super Slug 3.1 ANSI Full Version - c:\windows\iun6002.exe AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-28 15:16 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*] "value"="?\0a\01\1f\145\1bT" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(652) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\Ati2evxx.dll . Completion time: 2011-11-28 15:18:19 ComboFix-quarantined-files.txt 2011-11-28 20:18 . Pre-Run: 47,147,696,128 bytes free Post-Run: 47,325,085,696 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - BB81C7FBDA7D533B17FAA7AC4D820568

Here is the combo fix log. Thanks for your help. log.txt

I still have redirect virus