Browser Hijack

I believe this problem started Monday. The first thing I noticed was I started getting new instances of Internet Explorer opening to miscellaneous websites while browsing. Then I noticed that when I would click on a link after doing a Google search I would be redirected to some miscellaneous website. For instance the second link provided by Google search for "Tallest Tree" should go to wikopedia (en.wikipedia.org/wiki/Tree ) but would take me to various pages such as...

http://www.freshdeals.com/simple.php?uvx=j5ZcFBmJuCXCtdM-sUmVku_3h5kt2wmeRhHjOe2Y13iq-Adan2kuBp5oNqekqD4KGxMB64TzS6WIML3kd3z8UohOloc-uC6Da01Ot7-CVqLzXt57KK6fLBUaJA5OXnHrMkog9IyuPk4Q6HUwrqmhB3CUYe8ZqPV5tFmcton0Q3Y6WeuiRcJIi3dvWfyupcqbRJyza7WFIIUu0Yvga4V_1Rm4TAoKNn7sZ6XM4oL5UDO05gdOCqipgkBNmOqtZ11jaMJ9NFrjj9C4apErUBbunhM-nSQJ1rkimqUboyTbRmsY8a6GjlbOPwTILVh4lSwwkbSJ0lBRoZEzgYzWN3v9f50fr-evQV95-p5hbdALoBGe71rBt6Xj8TZpHSYIHkCd92zOSG_pN_FTb5klxWp7cY17y2lgBg423PKaqs0P8Nqgb13MHXMyIe0QF0tU4Dh9T3YYv-j8MSifLO46acY4XDwhqyMwX5s63LlLaYagtU8Sxnj3ah3vWbvJJBH1GpDx1Faz6_I13YA*

What ever that is?

The next thing I noticed was Google Chrome could not open anything.

I'm currently running ZoneAlarm Internet Security Suite. I've been in contact with them and they had me try the following which have not helped...
-Run both ZoneAlarm Ultra Deep Scan and Rootkit scans while booted into Windows safe mode
-Run Windows Malicious Software Removal Tool while booted into Windows safe mode
-Run MalWareBytes full scan while booted into Windows safe mode
-Do a Windows System Restore to several placed as far back as March 5th while booted into Windows safe mode
-Clean out prefetch and %temp% directories

ZoneAlarm tech support pretty much told me they were out of ideas.

Here is a list of items ZoneAlarm has found and quarantined the last two days, however thier website had no info for these items...
-Exploit.JS.Pdfka.bta
-Exploit.JS.Pdfka.bul
-HEUR:Trojan.Win32.Generic

My latest ZoneAlarm scans do not find anything.

Here is the latest scan from MalWareBytes...
Malwarebytes' Anti-Malware 1.44
Database version: 3879
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

3/18/2010 7:48:59 AM
mbam-log-2010-03-18 (07-48-59).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|)
Objects scanned: 295828
Time elapsed: 22 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is the contents of my DDS.txt file...

DDS (Ver_10-03-17.01) - NTFSx86
Run by Darren at 10:05:32.64 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2105 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
D:\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\iTunes\iTunesHelper.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\lotus\smartctr\smartctr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darren\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darren\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\darren\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EPSON Stylus Photo R260 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibna.exe /fu "c:\windows\temp\E_SF1.tmp" /EF "HKCU"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DelReg] d:\msi\overclockingcenter\DelReg.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Version Cue CS2] "d:\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "d:\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ZoneAlarm Client] "d:\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuss~2.lnk - d:\lotus\smartctr\smartctr.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246847664375
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-3-18 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-3-18 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-18 486280]
R2 PD91Agent;PD91Agent;d:\raxco\perfectdisk2008\PD91Agent.exe [2008-12-31 693512]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-5 1691480]
S3 DYUSB;DYMO DiscPainter USB Status Monitor Driver;c:\windows\system32\drivers\dyusb.sys --> c:\windows\system32\drivers\DYUSB.sys [?]
S3 MSICDSetup;MSICDSetup;\??\d:\cdriver.sys --> d:\CDriver.sys [?]
S3 PCAlertDriver;PCAlertDriver;c:\progra~1\msi\msiwdev\NTGLM7X.sys [2006-6-7 27648]
S3 PD91Engine;PD91Engine;d:\raxco\perfectdisk2008\PD91Engine.exe [2008-12-31 910600]
S3 WEBNTACCESS;WEBNTACCESS;c:\windows\system32\Ntaccess.sys [2008-4-14 17920]

=============== Created Last 30 ================

2010-03-18 14:02:41 0 ----a-w- c:\documents and settings\darren\defogger_reenable
2010-03-18 08:54:26 72584 ----a-w- c:\windows\zllsputility.exe
2010-03-18 08:54:25 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-03-18 08:53:37 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-03-18 08:53:36 0 d-----w- c:\windows\system32\ZoneLabs
2010-03-18 08:53:34 423031 ----a-w- c:\windows\system32\vsconfig.xml
2010-03-18 08:51:44 0 d-----w- c:\windows\Internet Logs
2010-03-18 08:49:24 0 d-----w- c:\docume~1\alluse~1\applic~1\ZA_PreservedFiles
2010-03-17 20:22:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 20:22:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 18:12:55 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-17 16:15:15 0 d--h--w- c:\documents and settings\darren\Recent(2)
2010-03-17 16:08:17 0 d-----w- c:\docume~1\darren\applic~1\Malwarebytes
2010-03-17 15:22:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-16 02:28:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-13 04:43:47 0 d-----w- c:\program files\NVIDIA Corporation
2010-03-13 01:22:55 10 ----a-w- c:\windows\WININIT.INI
2010-02-17 08:35:23 0 ----a-w- c:\windows\ativpsrm.bin

==================== Find3M ====================

2010-03-18 12:10:24 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-28 02:56:20 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-28 02:56:20 22328 ----a-w- c:\docume~1\darren\applic~1\PnkBstrK.sys
2010-01-28 02:54:56 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-01-28 02:54:51 669184 ----a-w- c:\windows\system32\pbsvc.exe
2010-01-28 02:54:51 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-01-21 13:23:08 73728 ----a-w- c:\windows\system32\RTNUninst32.dll
2010-01-21 13:23:08 177152 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2010-01-12 04:03:33 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03:33 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03:33 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03:33 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03:33 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03:33 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03:33 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03:33 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 03:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 03:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 03:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 03:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 03:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 03:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-08 03:17:19 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-08 03:17:19 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 10:06:58.82 ===============

I'm afraid IE redirects and broken Google Chrome may be just the tip of the iceberg. Any help would be greatly appreciated.

Hi there

If you already have a copy of ComboFix, please delete it.

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3





IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on Combo-Fix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

I did not appear to have any problems running Combo-Fix.exe. I attached the text file. I wasn't sure if I should copy/paste or upload. If you need me to copy/paste let me know. I appreciate the help jpshortstuff.

That looks pretty good, how are things running now?

Please go to this site:
http://virscan.org
and have this file scanned:
c:\windows\system32\sfcfiles.dll
Let me know the results.

I think it was ok. I think this is what you were looking for...

VirSCAN.org Scanned Report :
Scanned time : 2010/03/07 15:47:27 (EST)
Scanner results: Scanners did not find malware!
File Name : sfcfiles.dll
File Size : 1614848 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 362bc5af8eaf712832c58cc13ae05750
SHA1 : c8c2d44f34115f27f10bc435dd986d4eff00fe3f
Online report : http://virscan.org/report/dd02b0710e3bf969...f555402ab6.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100308033224 2010-03-08 4.55 -
AhnLab V3 2010.03.07.01 2010.03.07 2010-03-07 1.02 -
AntiVir 8.2.1.180 7.10.4.233 2010-03-05 0.24 -
Antiy 2.0.18 20100305.3965866 2010-03-05 0.02 -
Arcavir 2009 201003071206 2010-03-07 0.02 -
Authentium 5.1.1 201003071656 2010-03-07 1.98 -
AVAST! 4.7.4 100307-0 2010-03-07 0.14 -
AVG 8.5.720 271.1.1/2728 2010-03-07 1.88 -
BitDefender 7.81008.5380817 7.30667 2010-03-08 7.80 -
ClamAV 0.95.3 10525 2010-03-06 0.21 -
Comodo 3.13.579 4180 2010-03-07 1.89 -
CP Secure 1.3.0.5 2010.03.06 2010-03-06 0.44 -
Dr.Web 5.0.1.12222 2010.03.08 2010-03-08 6.05 -
F-Prot 4.4.4.56 20100307 2010-03-07 2.97 -
F-Secure 7.02.73807 2010.03.07.07 2010-03-07 8.70 -
Fortinet 11.556- 11.556 2010-03-06 0.23 -
GData 19.10753/19.802 20100307 2010-03-07 6.89 -
ViRobot 20100305 2010.03.05 2010-03-05 0.80 -
Ikarus T3.1.01.80 2010.03.07.75346 2010-03-07 5.58 -
JiangMin 13.0.900 2010.03.07 2010-03-07 8.99 -
Kaspersky 5.5.10 2010.03.07 2010-03-07 0.07 -
KingSoft 2009.2.5.15 2010.3.7.17 2010-03-07 0.65 -
McAfee 5.3.00 5913 2010-03-07 3.72 -
Microsoft 1.5502 2010.03.07 2010-03-07 6.63 -
Norman 6.01.09 6.01.00 2010-02-10 4.00 -
Panda 9.05.01 2010.03.07 2010-03-07 2.65 -
Trend Micro 9.120-1004 6.900.07 2010-03-07 0.09 -
Quick Heal 10.00 2010.03.06 2010-03-06 2.36 -
Rising 20.0 22.37.06.04 2010-03-07 1.08 -
Sophos 3.04.1 4.50 2010-03-08 3.75 -
Sunbelt 3.9.2408.2 5782 2010-03-07 3.87 -
Symantec 1.3.0.24 20100307.007 2010-03-07 0.08 -
nProtect 20100307.01 7665889 2010-03-07 4.64 -
The Hacker 6.5.1.9 v00224 2010-03-07 0.66 -
VBA32 3.12.12.2 20100305.1005 2010-03-05 4.32 -
VirusBuster 4.5.11.10 10.121.8/2025323 2010-03-08 3.13 -

As far as redirects in IE, on a very small amount of testing it appears to be fixed. Clicking on the second link returned from a Google search for "Tallest Tree" resulted in a redirect like 90% of the time but does not appear to be doing that anymore. Yay....

I currently do not have Google Chrome installed. That would be another good test. Do you want me to try to install Google Chrome yet?

You can try Google Chrome if you wish. It looks like ComboFix got the culprit (the "TLD3" Rootkit), but we'd better make sure everything is now gone.

Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

• Please go here then click on:
  
  QUOTE
  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

After this, please run DDS and GMER again, and post the logs. Let me know if you are still problem-free.

Wow, that took a while.

Here is the results of the ESET online scan...

I:\Old H Drive\MUSIC NTFS (N)\C Drive Back up\Application Data\Qualcomm\Eudora\In.mbx HTML/Phishing.gen trojan
I:\Old H Drive\MUSIC NTFS (N)\C Drive Back up\Application Data\Qualcomm\Eudora\Trash.mbx multiple threats
I:\Old H Drive\MUSIC NTFS (N)\C Drive Back up\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-762d722b-3d8ca966.class Win32/Adware.CWS.gen application
I:\Old H Drive\MUSIC NTFS (N)\C Drive Back up\My Downloads\Install_AIM.exe Win32/Adware.WBug.A application
I:\Old H Drive\MUSIC NTFS (N)\C Drive Back up\My Downloads\My Downloads\Install_AIM.exe Win32/Adware.WBug.A application

I've also attached the results from DDS and GMER.

Also, as far as I can tell, I'm still problem free...

Edited by StudioDTK5, 18 March 2010 - 04:19 PM.

Is I:\ an external drive or backup medium of some sort? Looks like there's a few infections lingering there, it would be worth removing those and perhaps scanning that drive thoroughly with ZoneAlarm and/or MalwareBytes, if you haven't already.

Open Control Panel, Add/Remove Programs, and remove this outdated Java version:
Java 2 Runtime Environment, SE v1.4.1

Otherwise, logs look good

Click Start >> Run, and then type ComboFix /Uninstall and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.

• Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.
  
  
• Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.
  
  
• Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff

I'm not able to unistall "Java 2 Runtime Environment, SE v1.4.1". It acts like it is going to unistall but it still shows up in add/remove programs no matter how many times I remove it?

I manually deleted the files listed by ESET online scan. It was an internal drive, but just a back up from an old computer.

ZoneAlarm is up to date and I ran ZoneAlarm Ultra Deep Scan which came back clean. I'll run ZoneAlarm RootKit scan and MalwareBytes once again.

Windows is up to date.

ComboFix uninstalled successfully.

Is it OK to run Defogger and renable CD emulator drivers?

IE is running good with no redirects and Google Chrome is working for the first time since the problem began.

Sorry it took me a while to get back. I'm pretty burnt out on all this. Been working on it the last two days. Anyways, I don't know how to thank you enough. And I appreciate all the info you provided in the last post...

Thanks!

Edited by StudioDTK5, 18 March 2010 - 06:46 PM.

Yep you can run Defogger's re-enable now.

Glad we could help you