Being redirected

ec89ax · July 30, 2009

Hi im having a problem, every time i do a search on google i get directed to a different website. I scan with both optons "Quick scan" and "Full scan", but only found 1 infection and i deleted it and rebooted the computer. Now im still being directed to different websites and Malwarebytes' scans find no infections. thx

hjt log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:15:05 PM, on 7/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Mixer.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\PRISMSVR.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=7854.542.876354..2:875

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Malwarebytes Piracy] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /piracy

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: 2Wire Wireless Client.lnk = ?

O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: REALTEK USB Wireless LAN Utility.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.att.net

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O20 - AppInit_DLLs: syzavz.dll fkayxj.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 7996 bytes

==========================================================================

Malware quick scan:

Malwarebytes' Anti-Malware 1.39

Database version: 2514

Windows 5.1.2600 Service Pack 2

7/30/2009 3:28:00 PM

mbam-log-2009-07-30 (15-28-00).txt

Scan type: Quick Scan

Objects scanned: 94225

Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Kenny94 · July 31, 2009

Hi ec89ax and Welcome to Malwarebytes!

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

ec89ax · July 31, 2009

Hi ec89ax and Welcome to Malwarebytes!
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Please download ComboFix from
Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".
[*]During the download, rename Combofix to Combo-Fix as follows:
[*]It is important you rename Combofix during the download, but not after.
[*]Please do not rename Combofix to other names, but only to the one indicated.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
[*]Double click on combo-Fix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Combo fix log:

ComboFix 09-07-31.02 - Owner 07/31/2009 15:08.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.625 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\directwave_sampling.tmp

c:\documents and settings\Owner\Application Data\inst.exe

c:\windows\system32\drivers\vsfocetbqxwbim.sys

c:\windows\system32\vsfocejtxiyibq.dat

c:\windows\system32\vsfocekthoesuk.dll

c:\windows\system32\vsfocermyndjkl.dll

c:\windows\system32\vsfocevcmvkhyn.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_vsfocehxdoevtt

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))

.

2009-07-31 21:55 . 2009-07-31 21:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NortonInstaller

2009-07-30 22:12 . 2009-07-30 22:12 -------- d-----w- c:\program files\Trend Micro

2009-07-28 03:23 . 2009-07-28 03:23 -------- d-----w- c:\documents and settings\Owner\DoctorWeb

2009-07-27 21:04 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-27 21:04 . 2009-07-27 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-27 21:04 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-22 22:53 . 2009-07-22 22:53 -------- d-----w- c:\program files\NVIDIA Corporation

2009-07-22 22:53 . 2009-07-22 22:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NVIDIA Corporation

2009-07-22 22:52 . 2009-07-14 18:54 2189856 ----a-w- c:\windows\system32\nvcuvid.dll

2009-07-22 22:52 . 2009-07-14 18:54 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll

2009-07-22 22:52 . 2009-07-14 18:54 2002944 ----a-w- c:\windows\system32\nvcuda.dll

2009-07-22 22:52 . 2009-07-14 18:54 1597690 ----a-w- c:\windows\system32\nvdata.bin

2009-07-22 22:43 . 2009-07-22 22:43 -------- d-----w- c:\program files\SystemRequirementsLab

2009-07-22 22:43 . 2009-07-22 22:43 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab

2009-07-22 22:43 . 2009-07-22 22:43 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll

2009-07-22 22:43 . 2009-07-22 22:43 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll

2009-07-22 22:43 . 2009-07-22 22:43 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll

2009-07-22 22:43 . 2009-07-22 22:43 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll

2009-07-17 19:21 . 2009-07-17 19:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Light Crafts

2009-07-17 19:21 . 2009-07-18 20:56 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\Light Crafts

2009-07-17 19:21 . 2009-07-17 19:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Aurora

2009-07-17 19:21 . 2009-02-12 19:35 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-17 19:20 . 2009-07-17 19:20 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-17 19:19 . 2009-07-17 19:20 -------- d-----w- c:\program files\Aurora

2009-07-15 05:16 . 2009-07-15 05:19 -------- d-----w- c:\documents and settings\Owner\dwhelper

2009-07-15 04:48 . 2009-07-15 04:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Cooliris

2009-07-14 20:35 . 2009-07-14 20:35 2173472 ----a-w- c:\windows\system32\nvcplui.exe

2009-07-14 20:35 . 2009-07-14 20:35 81920 ----a-w- c:\windows\system32\nvwddi.dll

2009-07-14 20:35 . 2009-07-14 20:35 4026368 ----a-w- c:\windows\system32\nvvitvs.dll

2009-07-14 20:35 . 2009-07-14 20:35 3170304 ----a-w- c:\windows\system32\nvwss.dll

2009-07-14 20:34 . 2009-07-14 20:34 86016 ----a-w- c:\windows\system32\nvmctray.dll

2009-07-14 20:34 . 2009-07-14 20:34 4923392 ----a-w- c:\windows\system32\nvdisps.dll

2009-07-14 20:34 . 2009-07-14 20:34 3547136 ----a-w- c:\windows\system32\nvgames.dll

2009-07-14 20:34 . 2009-07-14 20:34 188416 ----a-w- c:\windows\system32\nvmccss.dll

2009-07-14 20:34 . 2009-07-14 20:34 168004 ----a-w- c:\windows\system32\nvsvc32.exe

2009-07-14 20:34 . 2009-07-14 20:34 143360 ----a-w- c:\windows\system32\nvcolor.exe

2009-07-14 20:34 . 2009-07-14 20:34 13877248 ----a-w- c:\windows\system32\nvcpl.dll

2009-07-14 20:34 . 2009-07-14 20:34 1286144 ----a-w- c:\windows\system32\nvmobls.dll

2009-07-14 20:34 . 2009-07-14 20:34 229376 ----a-w- c:\windows\system32\nvmccs.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-30 03:04 . 2009-03-16 22:37 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-27 04:16 . 2009-04-01 06:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2009-07-15 05:28 . 2008-03-16 20:02 -------- d-----w- c:\program files\JSOFT

2009-07-15 05:24 . 2007-09-15 00:02 -------- d-----w- c:\program files\AT&T

2009-07-14 18:54 . 2006-11-28 19:24 485920 ----a-w- c:\windows\system32\nvudisp.exe

2009-07-14 18:54 . 2006-10-22 20:22 868352 ----a-w- c:\windows\system32\nvapi.dll

2009-07-14 18:54 . 2006-10-22 20:22 7741664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2009-07-14 18:54 . 2006-10-22 20:22 5842816 ----a-w- c:\windows\system32\nv4_disp.dll

2009-07-14 18:54 . 2006-10-22 20:22 151552 ----a-w- c:\windows\system32\nvcodins.dll

2009-07-14 18:54 . 2006-10-22 20:22 151552 ----a-w- c:\windows\system32\nvcod.dll

2009-07-14 18:54 . 2006-10-22 20:22 10457088 ----a-w- c:\windows\system32\nvoglnt.dll

2009-07-10 22:24 . 2006-11-28 23:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee

2009-07-10 22:17 . 2006-11-29 00:00 -------- d-----w- c:\program files\McAfee

2009-07-10 14:01 . 2006-11-28 19:24 485920 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-06-29 16:12 . 2004-08-03 22:56 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-03 22:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-03 22:56 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-16 14:55 . 2004-08-03 22:56 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:55 . 2001-08-23 11:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 19:27 . 2004-08-03 22:56 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-05-07 15:44 . 2004-08-03 22:56 344064 ----a-w- c:\windows\system32\localspl.dll

2009-07-18 22:38 . 2009-02-08 23:50 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-05-19 3561720]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-16 1830128]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-04-14 290905]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]

"Malwarebytes Piracy"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-07-13 1287440]

"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-01-28 1228800]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\

2Wire Wireless Client.lnk - c:\twwgusb_temp\PRISMCFG.EXE [2008-10-7 335979]

D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2006-11-28 294912]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2008-9-4 790528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\Aurora\\Aurora.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 5:17 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]

R2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [11/28/2006 3:03 PM 10752]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/4/2008 3:51 PM 38144]

R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [11/28/2006 3:03 PM 9216]

S0 fkhkkztb;fkhkkztb;c:\windows\system32\drivers\xtxjkhpo.sys --> c:\windows\system32\drivers\xtxjkhpo.sys [?]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [9/4/2008 3:52 PM 223616]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\MRV8K51.sys [11/28/2006 2:12 PM 256896]

S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [4/8/2004 9:43 AM 349376]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = https=7854.542.876354..2:875

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\jb8skcgc.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-31 15:19

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2080)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\Common Files\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wdfmgr.exe

c:\progra~1\McAfee.com\Agent\mcagent.exe

c:\windows\system32\rundll32.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2009-07-31 15:24 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-31 22:24

Pre-Run: 140,457,426,944 bytes free

Post-Run: 140,336,873,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

266 --- E O F --- 2009-07-29 19:58

Kenny94 · July 31, 2009

Open Notepad and copy and paste the text in the code box below into it:

Registry::[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

CFScript.txt

HijackThis Uninstall List

HijackThis log

Also, please let me know how things are running now.

ec89ax · July 31, 2009

well things seem to be running good, im not being redirected anymore, but should i still copy and paste the code onto combo fix??

Kenny94 · July 31, 2009

Yes...

In your next reply, please include these log(s):

CFScript.txt

HijackThis Uninstall List

HijackThis log

One of the reasons why is, this concern me:

AV: McAfee VirusScan

AV: Norton AntiVirus 2005 *

ec89ax · July 31, 2009

combofix:

ComboFix 09-07-31.02 - Owner 07/31/2009 16:16.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.599 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

* Created a new restore point