Possible google redirect issue

[VujaDe]

I'm having issues with browser windows popping up during google searches or trying to access google sites like Blogger.

Most of the time it just says "transferring data from www.google-analytics.com" or something similar but lately it's been opening new windows unrelated to my google search results.

Symantec, Malwarebytes and Spybot are not picking up any malicious files.

Thanks in advance for your help!

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86

Run by Administrator at 10:12:00.10 on Tue 06/08/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2729 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.bing.com

uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\43i2vzgm.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-7 64288]

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-12-9 635416]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-12-9 2066968]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-12-9 149600]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100607.006\naveng.sys [2010-6-7 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100607.006\navex15.sys [2010-6-7 1347504]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]

=============== Created Last 30 ================

2010-06-08 15:08:58 192 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-06-07 21:04:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-07 21:04:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-07 20:47:51 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-07 20:47:46 0 d-----w- c:\program files\Lavasoft

2010-06-04 20:52:51 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-04 20:52:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-04 16:37:37 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-06-04 16:37:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-04 16:37:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-04 16:37:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-04 16:37:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-04 16:31:08 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-25 16:28:31 0 d-----w- c:\docume~1\admini~1\applic~1\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

2010-05-25 16:28:30 0 d-----w- c:\program files\TweetDeck

2010-05-15 15:02:53 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-05-27 21:04:45 55608 ----a-w- c:\windows\fonts\BrockScript.ttf

2010-05-27 21:04:18 29268 ----a-w- c:\windows\fonts\Jailbird.ttf

2010-05-27 21:03:33 38184 ----a-w- c:\windows\fonts\Precious.ttf

2010-05-27 21:03:10 55608 ----a-w- c:\windows\fonts\fonts\BrockScript.ttf

2010-05-27 21:02:36 29268 ----a-w- c:\windows\fonts\fonts\Jailbird.ttf

2010-04-28 19:05:40 115676 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-22 18:24:34 123304 ----a-w- c:\windows\fonts\Mutlu__Ornamental.ttf

2010-04-22 18:24:09 37552 ----a-w- c:\windows\fonts\CHOPS___.TTF

2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2009-12-10 00:27:34 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2009-12-10 00:27:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2010-01-05 21:09:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010520100106\index.dat

============= FINISH: 10:12:15.69 ===============

mbam log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4176

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

6/7/2010 3:26:54 PM

mbam-log-2010-06-07 (15-26-54).txt

Scan type: Full scan (C:\|)

Objects scanned: 200134

Time elapsed: 12 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

ark.zip

[Blade81]

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

• Run Spybot-S&D in Advanced Mode
  
• If it is not already set to do this, go to the Mode menu
  select
  Advanced Mode
  
  
• On the left hand side, click on Tools
  
• Then click on the Resident icon in the list
  
• Uncheck
  Resident TeaTimer
  and OK any prompts.
  
• Restart your computer
  

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers.
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
2. Click Yes to allow ComboFix to continue scanning for malware.
   

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[VujaDe]

Thanks so much for your help. Since I posted the original plea for help, two more computers on the network have started displaying these same symptoms.

Here is the combofix log:

ComboFix 10-06-09.01 - Administrator 06/09/2010 12:37:21.3.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3543.2895 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))

.

2010-06-07 21:04 . 2010-06-07 21:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-07 20:47 . 2010-06-09 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-06-07 20:44 . 2010-06-07 20:44 503808 ----a-w- c:\documents and settings\De\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-771761a9-n\msvcp71.dll

2010-06-07 14:56 . 2010-06-07 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-06-04 20:52 . 2010-06-04 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-04 20:52 . 2010-06-04 20:54 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-04 17:57 . 2010-06-09 15:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2010-06-04 17:57 . 2010-06-04 17:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2010-06-04 17:57 . 2010-06-04 17:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Deployment

2010-06-04 16:37 . 2010-06-04 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-06-04 16:37 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-04 16:37 . 2010-06-04 16:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-04 16:37 . 2010-06-04 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-04 16:37 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-04 16:31 . 2010-06-04 16:31 -------- d-----w- c:\program files\Common Files\Java

2010-06-04 16:31 . 2010-06-04 16:31 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7cd03777-n\decora-sse.dll

2010-06-04 16:31 . 2010-06-04 16:31 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-246721ef-n\msvcp71.dll

2010-06-04 16:31 . 2010-06-04 16:31 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-246721ef-n\jmc.dll

2010-06-04 16:31 . 2010-06-04 16:31 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-246721ef-n\msvcr71.dll

2010-06-04 16:31 . 2010-06-04 16:31 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7cd03777-n\decora-d3d.dll

2010-06-04 16:31 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-26 17:23 . 2010-05-26 17:23 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-798bfce0-n\msvcp71.dll

2010-05-26 17:23 . 2010-05-26 17:23 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-798bfce0-n\jmc.dll

2010-05-26 17:23 . 2010-05-26 17:23 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-798bfce0-n\msvcr71.dll

2010-05-25 16:28 . 2010-05-25 16:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

2010-05-25 16:28 . 2010-05-25 16:28 -------- d-----w- c:\program files\TweetDeck

2010-05-15 15:02 . 2010-05-15 15:02 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-09 17:35 . 2010-01-05 18:25 -------- d-----w- c:\program files\Symantec AntiVirus

2010-06-07 20:44 . 2010-06-07 20:44 499712 ----a-w- c:\documents and settings\De\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-771761a9-n\jmc.dll

2010-06-07 20:44 . 2010-06-07 20:44 348160 ----a-w- c:\documents and settings\De\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-771761a9-n\msvcr71.dll

2010-06-07 20:44 . 2010-06-07 20:44 61440 ----a-w- c:\documents and settings\De\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3450929f-n\decora-sse.dll

2010-06-07 20:44 . 2010-06-07 20:44 12800 ----a-w- c:\documents and settings\De\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3450929f-n\decora-d3d.dll

2010-06-07 17:08 . 2010-06-07 17:08 -------- d-----w- c:\documents and settings\De\Application Data\Malwarebytes

2010-06-07 17:08 . 2010-06-07 17:08 -------- d-----w- c:\documents and settings\De\Application Data\Apple Computer

2010-06-07 17:08 . 2010-06-07 17:07 167176 ----a-w- c:\documents and settings\De\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-07 17:07 . 2010-01-05 21:29 -------- d-----w- c:\program files\Web Publish

2010-06-04 19:02 . 2010-02-10 19:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2010-06-04 16:30 . 2010-01-08 16:50 -------- d-----w- c:\program files\Java

2010-06-03 16:19 . 2009-12-10 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PDFC

2010-05-28 14:58 . 2009-12-10 00:29 167176 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-27 21:04 . 2010-05-01 05:32 265 ----a-w- c:\windows\Fonts\read.txt

2010-05-27 21:03 . 2010-01-13 19:42 -------- d-----w- c:\windows\Fonts\Fonts

2010-05-27 21:02 . 2010-05-01 05:32 265 ----a-w- c:\windows\Fonts\Fonts\read.txt

2010-05-12 22:47 . 2010-01-13 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-11 18:10 . 2010-01-25 18:45 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-30 20:11 . 2010-04-30 20:11 -------- d-----w- c:\program files\Windows Media Connect 2

2010-04-30 15:38 . 2010-04-30 15:37 -------- d-----w- c:\program files\iTunes

2010-04-30 15:37 . 2010-04-30 15:37 -------- d-----w- c:\program files\iPod

2010-04-30 15:37 . 2010-01-06 19:33 -------- d-----w- c:\program files\Common Files\Apple

2010-04-30 15:35 . 2010-04-30 15:35 -------- d-----w- c:\program files\Bonjour

2010-04-30 15:35 . 2010-04-30 15:35 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-28 19:05 . 2010-01-09 17:36 115676 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-06-09_15.21.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-09 17:29 . 2010-06-09 17:29 16384 c:\windows\Temp\Perflib_Perfdata_734.dat

+ 2009-04-06 14:51 . 2010-06-09 17:33 68360 c:\windows\system32\perfc009.dat

- 2009-04-06 14:51 . 2010-06-09 15:20 68360 c:\windows\system32\perfc009.dat

+ 2009-04-06 14:51 . 2010-06-09 17:33 435590 c:\windows\system32\perfh009.dat

- 2009-04-06 14:51 . 2010-06-09 15:20 435590 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]

"RTHDCPL"="RTHDCPL.EXE" [2009-07-03 18665472]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2009-06-18 563736]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [12/9/2009 7:32 PM 635416]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 1:30 PM 124608]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [12/9/2009 7:29 PM 2066968]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [12/9/2009 8:18 PM 149600]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 12:46 PM 44800]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/13/2010 11:35 AM 691696]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010

.

Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-470894537-2207945411-3346370390-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 17:57]

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-470894537-2207945411-3346370390-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 17:57]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\43i2vzgm.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-09 12:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-470894537-2207945411-3346370390-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,4a,87,8f,62,21,85,42,88,fc,b0,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,4a,87,8f,62,21,85,42,88,fc,b0,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(344)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-09 12:40:40

ComboFix-quarantined-files.txt 2010-06-09 17:40

ComboFix2.txt 2010-06-09 15:41

ComboFix3.txt 2010-06-09 15:22

Pre-Run: 429,734,371,328 bytes free

Post-Run: 429,701,169,152 bytes free

- - End Of File - - 7BAB8D4951ABF4C09023687412E76AD3

Attach2.zip

DDS2.zip

[Blade81]

Hi,

Are the symptoms still present? Are all your affected systems connected to internet via same network device?

[VujaDe]

Yes, the symptoms are still present and yes, they are connect via the same network device.

[Blade81]

Hi,

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the quote box into a new file:

@echo off

>Log1.txt (

ipconfig /all

nslookup google.com

ping -n 2 google.com

route print

)

start Log1.txt

del %0

• Go to the File menu at the top of the Notepad and select Save as.
  
• Select save in: desktop
  
• Fill in File name: test.bat
  
• Save as type: All file types (*.*)
  
• Click save.
  
• Close the Notepad.
  
• Locate and double-click test.bat on the desktop.
  
• A notepad opens, copy and paste the content it (log1.txt) to your reply.
  

[VujaDe]

test.bat results:

Windows IP Configuration

Host Name . . . . . . . . . . . . : DeAnna

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.tx.comcast.net.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsd1.tx.comcast.net.

Description . . . . . . . . . . . : Intel® 82567LM-3 Gigabit Network Connection

Physical Address. . . . . . . . . : 00-0F-FE-C3-13-64

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.115

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 213.109.67.166

213.109.73.41

68.87.85.102

Lease Obtained. . . . . . . . . . : Thursday, June 10, 2010 11:58:12 AM

Lease Expires . . . . . . . . . . : Friday, June 11, 2010 11:58:12 AM

Server: cns.cmc.co.denver.comcast.net

Address: 68.87.85.102

Name: google.com

Address: 72.14.209.104

Pinging google.com [72.14.204.147] with 32 bytes of data:

Reply from 72.14.204.147: bytes=32 time=65ms TTL=51

Reply from 72.14.204.147: bytes=32 time=54ms TTL=51

Ping statistics for 72.14.204.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 54ms, Maximum = 65ms, Average = 59ms

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 0f fe c3 13 64 ...... Intel® 82567LM-3 Gigabit Network Connection - Packet Scheduler Miniport

===========================================================================

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.115 20

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

169.254.0.0 255.255.0.0 192.168.1.115 192.168.1.115 20

192.168.1.0 255.255.255.0 192.168.1.115 192.168.1.115 20

192.168.1.115 255.255.255.255 127.0.0.1 127.0.0.1 20

192.168.1.255 255.255.255.255 192.168.1.115 192.168.1.115 20

224.0.0.0 240.0.0.0 192.168.1.115 192.168.1.115 20

255.255.255.255 255.255.255.255 192.168.1.115 192.168.1.115 1

Default Gateway: 192.168.1.1

===========================================================================

Persistent Routes:

None

[Blade81]

Hi,

Which brand and model is your router? You have to reset it to factory default settings and then change the default password to stronger one.

[VujaDe]

It's a Linksys WRT120TN.

[Blade81]

Did you mean WRT120N? I couldn't find any WRT120TN. Anyway, to reset settings to factory defaults there should usually be a reset button or hole (use pen/paperclip to press) there that you have to press for 30 seconds. Then router password has to be changed to stronger from default one.

[VujaDe]

I may have read it wrong. I will do that and report back soon.

Thanks so much!

[Blade81]

No problem. Shall wait for the status update

[VujaDe]

I think that did it! You may just be my new hero!

I took a look at our DNS addresses before I reset the router and they had bogus DNS entries. I reset the router and the DNS entries seem to be back to normal.

Interesting little bug!

I changed the password to a stronger one but is there another way to prevent something like this from happening again?

Thanks so much for taking the time to work with me. I can even express how much I appreciate it!

[Blade81]

Hi,

I changed the password to a stronger one but is there another way to prevent something like this from happening again?

This infection is capable of changing router settings if router password is not changed from factory default value. Having strong non default password set you prevent similar thing from happening again.

Some final steps next.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

• Click START then RUN
  
• Now copy-paste Combofix /uninstall in the runbox and click OK
  

Please download OTC and save it to desktop.

• Double-click OTC.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  
  • Every version of windows has a hosts file as part of them.
    
  • In a very basic sense, they are used to locate webpages.
    
  • We can customize a hosts file so that it blocks certain webpages.
    
  • However, it can slow down certain computers.
    
  • This is why using a hosts file is optional!!
    

  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

  1. 
     
     
  2. Click the start button (at the lower left hand corner of your screen)
     
  3. Click run
     
  4. In the dialog box, type services.msc
     
  5. hit enter, then locate dns client
     
  6. Highlight it, then double-click it.
     
  7. On the dropdown box, change the setting from automatic to manual.
     
  8. Click ok
     

  [*]Run Secunia vulnerability check here and fix its findings.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade

[VujaDe]

Blade, you have been a HUGE help. Thank you so much.

I did everything you told me to this morning and I hope I am more secure now.

After resetting the router and setting up a new password, everything seems to be working so much better...no more redirecting.

Now, several computers were affected by this redirecting, should I run similar scans on them just to make sure they are free from malware? Did what happen with the router put the other machines at risk?

Most of the machines on the network are updated more than mine...I'm guilty of taking care of everyone's machine but my own.

[Blade81]

You're welcome

Other systems were likely affected due to bad DNS settings in router. Doesn't mean they were really infected, just received bad DNS addresses.