Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer and Firefox Search Results Redirected


  • This topic is locked This topic is locked
22 replies to this topic

#1 jdtobrien

jdtobrien

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 21 July 2010 - 12:28 PM

For a while now, whenever I use Internet Explorer of Firefox and search using google, I won't be able to get to the page I want without right clicking and copying the page url, then to another tab.
When I try to just click the link, It will redirect me to a different website.pasting it in

I've been able to get around this by using Google Chrome, but I can't stand that "Oops! This link appears broken" I get all the time.

I've seen multiple forum posts about this, but I was afraid to try anything listed in those posts in case my problem was different.

Here's my Hijack This log.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:26:30 AM, on 7/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NlsSrv32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Qwest
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {6B90DB48-D940-40C7-B7E2-03898465137D} - http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1252029085703
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NlsSrv32.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6771 bytes


Thank you!

Edited by jdtobrien, 21 July 2010 - 10:47 PM.
Moved from XP to Malware Removal Logs forum ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:26 PM

Posted 28 July 2010 - 02:13 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds file to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

  • Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #3 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:04:26 PM

    Posted 05 August 2010 - 04:06 AM

    Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #4 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:04:26 PM

    Posted 16 August 2010 - 12:15 AM

    Topic re-opened upon user's request.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #5 jdtobrien

    jdtobrien
    • Topic Starter

    • Members
    • 10 posts
    • OFFLINE
    •  
    • Local time:06:26 AM

    Posted 16 August 2010 - 01:25 AM

    Thank you!

    DDS:



    DDS (Ver_10-03-17.01) - FAT32x86
    Run by User at 15:38:07.62 on Sun 08/15/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.176 [GMT -7:00]

    AV: Protection Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
    AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
    FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    SVCHOST.EXE
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    SVCHOST.EXE
    SVCHOST.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    SVCHOST.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\NlsSrv32.exe
    C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
    C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uSearch Page =
    uWindow Title = Windows Internet Explorer provided by Qwest
    uDefault_Page_URL = hxxp://qwest.live.com
    uSearch Bar =
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>;*.local
    mSearchAssistant =
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [AdobeBridge]
    uRun: [WebCamRT.exe]
    uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
    mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
    mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
    mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252029085703
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\2ta5hp84.default\
    FF - prefs.js: browser.startup.homepage - google.com
    FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.DLL
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-9-2 53168]
    S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2009-11-2 220079]
    S4 nusponm;nusponm;c:\windows\system32\drivers\octc.sys [2010-6-7 54016]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-07-27 06:30:36 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:36 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-25 01:16:24 39556 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-06-25 00:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
    2010-06-24 12:22:04 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:22:04 916480 ------w- c:\windows\system32\dllcache\wininet.dll
    2010-06-24 12:22:04 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-24 12:22:02 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
    2010-06-24 12:22:02 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
    2010-06-24 12:22:02 206848 ------w- c:\windows\system32\dllcache\occache.dll
    2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
    2010-06-24 12:22:00 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2010-06-24 12:22:00 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-06-24 12:22:00 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
    2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
    2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
    2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-24 12:21:56 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:08:10 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-21 15:27:12 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-21 15:27:12 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
    2010-05-21 22:24:50 69680 ----a-w- c:\windows\fonts\Mustertexte.pdf
    2010-05-21 22:01:22 299992 ----a-w- c:\windows\fonts\Proletarsk.ttf
    2010-05-18 23:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 23:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-18 20:13:44 92140 ----a-w- c:\windows\fonts\Adidas_Unity.ttf
    2010-04-18 23:38:12 115200 --sha-r- c:\windows\system32\dxdiagh.dll
    2009-09-03 23:25:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090320090904\index.dat

    ============= FINISH: 15:39:23.65 ===============



    I've attached the Attach file as a Zip file because I was unsure of the instructions as it told me not to post it.

    Thanks again.

    Attached Files



    #6 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:04:26 PM

    Posted 16 August 2010 - 03:46 AM

    Hi,

    uTorrent

    Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully first.

    Please continue as follows:
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #7 jdtobrien

    jdtobrien
    • Topic Starter

    • Members
    • 10 posts
    • OFFLINE
    •  
    • Local time:06:26 AM

    Posted 16 August 2010 - 08:52 PM

    ComboFix 10-08-16.03 - User 08/16/2010 18:36:26.1.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.140 [GMT -7:00]
    Running from: c:\documents and settings\User\Desktop\ComboFix.exe
    AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
    FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\EXPLORER(2).EXE
    c:\windows\system32\drivers\octc.sys
    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_OSPPSVC
    -------\Service_osppsvc
    -------\Legacy_nusponm
    -------\Service_nusponm


    ((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
    .

    2010-08-16 01:59 . 2010-08-16 01:59 -------- d-----w- c:\documents and settings\User\Application Data\TeleScreen Server
    2010-08-15 23:02 . 2010-08-15 23:02 9662 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5F74E89D-3C3F-4B80-82A6-190E78FA3559}\_6FEFF9B68218417F98F549.exe
    2010-08-15 23:02 . 2010-08-15 23:02 9662 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5F74E89D-3C3F-4B80-82A6-190E78FA3559}\_1BA8BD35A624CF2BE997FB.exe
    2010-08-15 23:02 . 2010-08-15 23:02 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5F74E89D-3C3F-4B80-82A6-190E78FA3559}\_683F7FA76B3BEF3AEBF5FA.exe
    2010-08-15 23:02 . 2010-08-15 23:02 -------- d-----w- c:\program files\Phantombility
    2010-08-15 00:18 . 2010-08-15 00:18 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\NOS
    2010-08-12 20:40 . 2010-08-12 20:40 -------- d-----w- c:\documents and settings\User\Application Data\ImTOO Software Studio
    2010-08-12 20:38 . 2010-08-12 20:38 -------- d-----w- c:\program files\ImTOO
    2010-08-09 06:18 . 2010-08-09 06:18 -------- d-----w- C:\iOrgSoft FlipVideoConverter
    2010-08-08 22:29 . 2010-08-08 22:29 -------- d-----w- c:\program files\iOrgSoft
    2010-08-08 22:28 . 2010-08-08 22:28 -------- d-----w- c:\documents and settings\User\Application Data\GetRightToGo
    2010-08-08 21:39 . 2010-08-08 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
    2010-08-04 16:46 . 2010-08-04 16:46 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\dynparwwx
    2010-08-03 03:33 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe
    2010-08-03 03:33 . 2010-08-03 03:33 -------- d-----w- c:\windows\system32\Adobe
    2010-07-21 17:08 . 2010-07-21 17:08 -------- d-----w- c:\program files\Trend Micro
    2010-07-21 07:40 . 2010-07-21 07:40 -------- d-----w- C:\Hotspot Shield

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-14 18:21 . 2010-07-14 18:21 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-07-11 21:29 . 2010-07-11 21:29 -------- d-----w- c:\program files\7-Zip
    2010-07-11 20:02 . 2010-07-11 20:02 94208 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{20C31435-2A0A-4580-BE8B-AC06FC243CA4}\python_icon.exe
    2010-06-30 12:31 . 2004-08-04 17:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-25 01:16 . 2009-10-13 00:52 39556 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-06-24 12:22 . 2006-03-04 10:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-04 17:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 17:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-21 04:21 . 2010-06-21 04:20 -------- d-----w- c:\program files\iPod
    2010-06-21 04:13 . 2010-06-21 04:13 -------- d-----w- c:\program files\Bonjour
    2010-06-21 04:06 . 2010-06-21 04:06 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-17 14:03 . 2004-08-04 17:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-16 20:33 . 2010-06-16 20:33 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
    2010-06-14 14:31 . 2008-08-08 00:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    2010-06-14 07:41 . 2004-08-04 17:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-13 22:47 . 2009-09-02 23:15 50024 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-13 20:59 . 2010-06-13 20:59 0 ----a-w- c:\windows\006189_.tmp
    2010-05-29 22:22 . 2010-05-29 22:22 -------- d-----w- c:\windows\Fonts\Original version
    2010-05-29 22:22 . 2010-05-29 22:22 -------- d-----w- c:\windows\Fonts\Improved version
    2010-05-25 21:47 . 2010-05-25 21:47 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5cf996e9-n\msvcp71.dll
    2010-05-25 21:47 . 2010-05-25 21:47 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5cf996e9-n\jmc.dll
    2010-05-25 21:47 . 2010-05-25 21:47 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73c34b75-n\decora-d3d.dll
    2010-05-25 21:47 . 2010-05-25 21:47 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73c34b75-n\decora-sse.dll
    2010-05-25 21:47 . 2010-05-25 21:47 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5cf996e9-n\msvcr71.dll
    2010-05-19 18:34 . 2010-04-21 01:35 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
    2010-04-18 23:38 . 2010-04-18 23:38 115200 --sha-r- c:\windows\system32\dxdiagh.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
    2010-02-28 09:20 561552 ----a-w- c:\progra~1\MI1933~1\Office14\URLREDIR.DLL

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-03 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
    "OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
    "LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-11 127022]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger Agent.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger Agent.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-02-03 05:38 135664 ----a-w- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-06-15 23:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    2009-11-02 21:47 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-13 23:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare]
    2008-05-31 15:11 202016 ----a-w- c:\program files\Qwest\Quickcare\bin\sprtcmd.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [3/19/2010 6:32 PM 61440]
    R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 4:19 PM 26120]
    R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
    S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [11/2/2009 3:00 PM 220079]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/2/2009 6:00 PM 722416]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-17 c:\windows\Tasks\User_Feed_Synchronization-{446BA060-2C12-4053-9989-38E4C040A4F3}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

    2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-08-17 c:\windows\Tasks\HNOWMTGQ.job
    - c:\windows\system32\dxdiagh.dll [2010-04-18 23:38]

    2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-842925246-839522115-1003Core1cb1486abeacd7a.job
    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-03 05:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>;*.local
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2ta5hp84.default\
    FF - prefs.js: browser.startup.homepage - google.com
    FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\progra~1\MI1933~1\Office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\MI1933~1\Office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.DLL
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-AdobeBridge - (no file)
    HKCU-Run-WebCamRT.exe - (no file)
    SafeBoot-klmdb.sys
    MSConfigStartUp-LogitechImageStudioTray - c:\program files\Logitech\ImageStudio\LogiTray.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-16 18:44
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(564)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    c:\program files\Microsoft Windows OneCare Live\winss.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-16 18:49:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-17 01:49

    Pre-Run: 5,097,553,920 bytes free
    Post-Run: 5,042,421,760 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - EE858E003A797BE4380D3BEC60A3198B



    Did this delete the virus or whatever it was I had? Oh and when should I re-enable Windows Live One Care and my Firewall?

    #8 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:04:26 PM

    Posted 17 August 2010 - 12:33 AM

    Hi again,

    Let's take some more steps.


    Open notepad and copy/paste the text in the quotebox below into it:

    CODE
    Folder::
    c:\documents and settings\User\Local Settings\Application Data\dynparwwx



    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.



    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 21.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



    Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.


    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #9 jdtobrien

    jdtobrien
    • Topic Starter

    • Members
    • 10 posts
    • OFFLINE
    •  
    • Local time:06:26 AM

    Posted 17 August 2010 - 11:37 PM

    I left the Kaspersky scanner running for well over 5 hours, and it left me without a report, I don't know if it's my computer, but while it was scanning everything went slowly.

    I have the Combo fix and DDS files though.

    ComboFix 10-08-16.04 - User 08/17/2010 17:39:51.3.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.201 [GMT -7:00]
    Running from: c:\documents and settings\User\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
    AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
    FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
    .

    ((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
    .

    2010-08-17 15:45 . 2010-08-17 15:45 -------- d-----w- c:\program files\Common Files\Java
    2010-08-17 15:44 . 2010-08-17 15:44 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2668a996-n\msvcp71.dll
    2010-08-17 15:44 . 2010-08-17 15:44 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2668a996-n\jmc.dll
    2010-08-17 15:44 . 2010-08-17 15:44 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2668a996-n\msvcr71.dll
    2010-08-17 15:44 . 2010-08-17 15:44 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-448a5f1b-n\decora-sse.dll
    2010-08-17 15:44 . 2010-08-17 15:44 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-448a5f1b-n\decora-d3d.dll
    2010-08-17 15:44 . 2010-08-17 15:44 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-16 01:59 . 2010-08-16 01:59 -------- d-----w- c:\documents and settings\User\Application Data\TeleScreen Server
    2010-08-15 23:02 . 2010-08-15 23:02 9662 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5F74E89D-3C3F-4B80-82A6-190E78FA3559}\_6FEFF9B68218417F98F549.exe
    2010-08-15 23:02 . 2010-08-15 23:02 9662 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5F74E89D-3C3F-4B80-82A6-190E78FA3559}\_1BA8BD35A624CF2BE997FB.exe
    2010-08-15 23:02 . 2010-08-15 23:02 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{5F74E89D-3C3F-4B80-82A6-190E78FA3559}\_683F7FA76B3BEF3AEBF5FA.exe
    2010-08-15 23:02 . 2010-08-15 23:02 -------- d-----w- c:\program files\Phantombility
    2010-08-15 00:18 . 2010-08-15 00:18 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\NOS
    2010-08-12 20:40 . 2010-08-12 20:40 -------- d-----w- c:\documents and settings\User\Application Data\ImTOO Software Studio
    2010-08-09 06:18 . 2010-08-09 06:18 -------- d-----w- C:\iOrgSoft FlipVideoConverter
    2010-08-08 22:29 . 2010-08-08 22:29 -------- d-----w- c:\program files\iOrgSoft
    2010-08-08 22:28 . 2010-08-08 22:28 -------- d-----w- c:\documents and settings\User\Application Data\GetRightToGo
    2010-08-08 21:39 . 2010-08-08 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
    2010-08-04 16:46 . 2010-08-04 16:46 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\dynparwwx
    2010-08-03 03:33 . 2001-10-26 21:16 16384 ----a-w- c:\windows\system32\FileOps.exe
    2010-08-03 03:33 . 2010-08-03 03:33 -------- d-----w- c:\windows\system32\Adobe
    2010-07-21 17:08 . 2010-07-21 17:08 -------- d-----w- c:\program files\Trend Micro
    2010-07-21 07:40 . 2010-07-21 07:40 -------- d-----w- C:\Hotspot Shield

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-14 18:21 . 2010-07-14 18:21 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-07-11 21:29 . 2010-07-11 21:29 -------- d-----w- c:\program files\7-Zip
    2010-07-11 20:02 . 2010-07-11 20:02 94208 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{20C31435-2A0A-4580-BE8B-AC06FC243CA4}\python_icon.exe
    2010-06-30 12:31 . 2004-08-04 17:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-25 01:16 . 2009-10-13 00:52 39556 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-06-24 12:22 . 2006-03-04 10:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-04 17:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 17:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-21 04:21 . 2010-06-21 04:20 -------- d-----w- c:\program files\iPod
    2010-06-21 04:13 . 2010-06-21 04:13 -------- d-----w- c:\program files\Bonjour
    2010-06-21 04:06 . 2010-06-21 04:06 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-17 14:03 . 2004-08-04 17:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-16 20:33 . 2010-06-16 20:33 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
    2010-06-14 14:31 . 2008-08-08 00:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    2010-06-14 07:41 . 2004-08-04 17:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-13 22:47 . 2009-09-02 23:15 50024 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-13 20:59 . 2010-06-13 20:59 0 ----a-w- c:\windows\006189_.tmp
    2010-05-29 22:22 . 2010-05-29 22:22 -------- d-----w- c:\windows\Fonts\Original version
    2010-05-29 22:22 . 2010-05-29 22:22 -------- d-----w- c:\windows\Fonts\Improved version
    2010-05-25 21:47 . 2010-05-25 21:47 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5cf996e9-n\msvcp71.dll
    2010-05-25 21:47 . 2010-05-25 21:47 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5cf996e9-n\jmc.dll
    2010-05-25 21:47 . 2010-05-25 21:47 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73c34b75-n\decora-d3d.dll
    2010-05-25 21:47 . 2010-05-25 21:47 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-73c34b75-n\decora-sse.dll
    2010-05-25 21:47 . 2010-05-25 21:47 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5cf996e9-n\msvcr71.dll
    2010-04-18 23:38 . 2010-04-18 23:38 115200 --sha-r- c:\windows\system32\dxdiagh.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-08-17_01.45.05 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-08-18 00:24 . 2010-08-18 00:24 16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
    + 2010-08-18 00:22 . 2010-08-18 00:22 16384 c:\windows\Temp\Perflib_Perfdata_628.dat
    - 2010-04-09 19:58 . 2010-04-09 19:58 153376 c:\windows\system32\javaws.exe
    + 2010-08-17 15:44 . 2010-08-17 15:44 153376 c:\windows\system32\javaws.exe
    - 2010-04-09 19:58 . 2010-04-09 19:58 145184 c:\windows\system32\javaw.exe
    + 2010-08-17 15:44 . 2010-08-17 15:44 145184 c:\windows\system32\javaw.exe
    - 2010-04-09 19:58 . 2010-04-09 19:58 145184 c:\windows\system32\java.exe
    + 2010-08-17 15:44 . 2010-08-17 15:44 145184 c:\windows\system32\java.exe
    + 2010-08-17 15:45 . 2010-08-17 15:45 180224 c:\windows\Installer\301cddc.msi
    + 2010-08-17 15:44 . 2010-08-17 15:44 677376 c:\windows\Installer\301cdd6.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
    2010-02-28 09:20 561552 ----a-w- c:\progra~1\MI1933~1\Office14\URLREDIR.DLL

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-03 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
    "OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
    "LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-11 127022]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger Agent.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger Agent.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-02-03 05:38 135664 ----a-w- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-06-15 23:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    2009-11-02 21:47 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-13 23:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare]
    2008-05-31 15:11 202016 ----a-w- c:\program files\Qwest\Quickcare\bin\sprtcmd.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [3/19/2010 6:32 PM 61440]
    R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 4:19 PM 26120]
    R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
    S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [11/2/2009 3:00 PM 220079]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/2/2009 6:00 PM 722416]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-17 c:\windows\Tasks\User_Feed_Synchronization-{446BA060-2C12-4053-9989-38E4C040A4F3}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

    2010-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-08-18 c:\windows\Tasks\HNOWMTGQ.job
    - c:\windows\system32\dxdiagh.dll [2010-04-18 23:38]

    2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-842925246-839522115-1003Core1cb1486abeacd7a.job
    - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-03 05:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>;*.local
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\2ta5hp84.default\
    FF - prefs.js: browser.startup.homepage - google.com
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-17 17:47
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3676)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-08-17 17:50:15
    ComboFix-quarantined-files.txt 2010-08-18 00:50
    ComboFix2.txt 2010-08-17 15:39
    ComboFix3.txt 2010-08-17 01:49

    Pre-Run: 4,700,815,360 bytes free
    Post-Run: 4,814,225,408 bytes free

    - - End Of File - - 291483A79A2EB4C24026AD39568AF197






    DDS (Ver_10-03-17.01) - FAT32x86
    Run by User at 17:56:51.26 on Tue 08/17/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.143 [GMT -7:00]

    AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
    FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\NlsSrv32.exe
    C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
    C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\My Documents\Downloads\dds (1).com

    ============== Pseudo HJT Report ===============

    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>;*.local
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
    mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
    mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252029085703
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\2ta5hp84.default\
    FF - prefs.js: browser.startup.homepage - google.com
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2010-3-19 61440]
    R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]
    R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
    S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-9-2 53168]
    S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2009-11-2 220079]

    =============== Created Last 30 ================

    2010-08-18 00:51:33 0 d-sh--w- C:\Recycled
    2010-08-17 15:44:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-08-17 15:44:35 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-17 01:34:50 0 d-sha-r- C:\cmdcons
    2010-08-17 01:26:23 98816 ----a-w- c:\windows\sed.exe
    2010-08-17 01:26:23 77312 ----a-w- c:\windows\MBR.exe
    2010-08-17 01:26:23 256512 ----a-w- c:\windows\PEV.exe
    2010-08-17 01:26:23 161792 ----a-w- c:\windows\SWREG.exe
    2010-08-16 01:59:36 0 d-----w- c:\docume~1\user\applic~1\TeleScreen Server
    2010-08-15 23:02:23 0 d-----w- c:\program files\Phantombility
    2010-08-12 20:40:30 0 d-----w- c:\docume~1\user\applic~1\ImTOO Software Studio
    2010-08-09 06:18:57 0 d-----w- C:\iOrgSoft FlipVideoConverter
    2010-08-08 22:29:28 0 d-----w- c:\program files\iOrgSoft
    2010-08-08 22:28:13 0 d-----w- c:\docume~1\user\applic~1\GetRightToGo
    2010-08-08 21:41:27 1015 ----a-r- C:\logFile.xsl
    2010-08-08 21:39:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Flip Video
    2010-08-03 03:33:29 16384 ----a-w- c:\windows\system32\FileOps.exe
    2010-08-03 03:33:26 0 d-----w- c:\windows\system32\Adobe
    2010-07-21 17:08:52 0 d-----w- c:\program files\Trend Micro
    2010-07-21 07:40:36 0 d-----w- C:\Hotspot Shield

    ==================== Find3M ====================

    2010-07-27 06:30:36 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:36 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-25 01:16:24 39556 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-06-25 00:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
    2010-06-24 12:22:04 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:22:04 916480 ------w- c:\windows\system32\dllcache\wininet.dll
    2010-06-24 12:22:04 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-24 12:22:02 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
    2010-06-24 12:22:02 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
    2010-06-24 12:22:02 206848 ------w- c:\windows\system32\dllcache\occache.dll
    2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
    2010-06-24 12:22:00 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2010-06-24 12:22:00 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-06-24 12:22:00 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
    2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
    2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
    2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-24 12:21:56 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:08:10 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-21 15:27:12 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-21 15:27:12 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
    2010-05-21 22:24:50 69680 ----a-w- c:\windows\fonts\Mustertexte.pdf
    2010-05-21 22:01:22 299992 ----a-w- c:\windows\fonts\Proletarsk.ttf
    2010-04-18 23:38:12 115200 --sha-r- c:\windows\system32\dxdiagh.dll
    2009-09-03 23:25:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090320090904\index.dat

    ============= FINISH: 17:57:39.10 ===============




    Also, I just saw the part about uTorrent, and I uninstalled it just a little bit ago, but that was after I did these scans.

    #10 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:04:26 PM

    Posted 18 August 2010 - 12:17 AM

    Hi,

    Let's run ESET scanner too:
    * Go here to run an online scanner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is UNchecked.
    • Click Scan
    • Wait for the scan to finish. Post back the results if anything found.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #11 jdtobrien

    jdtobrien
    • Topic Starter

    • Members
    • 10 posts
    • OFFLINE
    •  
    • Local time:06:26 AM

    Posted 20 August 2010 - 01:43 PM

    On the threats found, I had two infected files. I pressed list of found threats and saved it to the desktop, here's what it said.

    C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
    C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application

    #12 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:04:26 PM

    Posted 20 August 2010 - 03:17 PM

    Hi,

    Please delete those two findings. Any issues left?

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #13 jdtobrien

    jdtobrien
    • Topic Starter

    • Members
    • 10 posts
    • OFFLINE
    •  
    • Local time:06:26 AM

    Posted 20 August 2010 - 06:19 PM

    I deleted the .dll's and restarted the computer and everything seemed to be working and I was getting no redirects with my searches, but I pressed the back button and then it took me to a shopping related website.

    I typed in blah into google, then clicked on one of the links, and the url in the address bar changed to;
    hxxp://www.oeunymodirf.com/?q=blah

    Then took me to informationgetter.com

    Sometimes I'll get the page I want to go to, but sometimes I'll get a redirect.

    Edited by Blade81, 21 August 2010 - 03:31 AM.
    link disabled


    #14 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:04:26 PM

    Posted 21 August 2010 - 03:26 AM

    Hi,

    Have you checked if the issue occurs with both Firefox and Internet Explorer? If not, please do and let me know.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #15 jdtobrien

    jdtobrien
    • Topic Starter

    • Members
    • 10 posts
    • OFFLINE
    •  
    • Local time:06:26 AM

    Posted 21 August 2010 - 02:12 PM

    I was checking Firefox and it seemed to work, but then it started redirecting the links again. It's the same thing with IE, I'll only get to the actual page I want sometimes.

    That's the main reason I use Google Chrome, there's no redirects at all.




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users