Welcome to Tech Support Forum home to more then 440,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page pages redirect to advertisements
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 01-21-2010, 12:38 PM   #1 (permalink)
Registered User
 
bizzare_czar's Avatar
 
Join Date: Jul 2009
Location: Kitchener, Ontario, Canada
Posts: 8
OS: Vista Bus. SP 2 & Ubuntu 9.10


Send a message via Yahoo to bizzare_czar
pages redirect to advertisements
Here is copy pasta from another post I have made:

Quote:
Unfortunately I cannot remember what I did right before it started, but now once in a while my browser will randomly redirect my pages to advertising pages. An example, the most recent one was hxxp://us.chinaontv.com/sex_museum/index.html when doing a test search and opening a Wikipedia page. It seems to happen most often when I am clicking on a result from Google.

I have run spyware scanners, and I am currently in the process of doing a full virus scan. So far nothing, but I will update if it finds something. I have cleared my cache, my cookies, and some other stuff (I used Spyware Blaster, Spyware Search and Destroy, and CCleaner so whatever those clean). It is still doing it, and the scans all showed up clean.

What could be causing this, or is there anything I could do to further determine what is going on? BTW I am using the newest Firefox and Vista Business SP 2 (I just installed SP 2 but it was happening before that as well). I want my browsing back!
I was told to follow the steps and attach a couple of logs to this post, so I did. I will also note that I do have access to a burnt copy of the Vista install DVD. I also closed most programs I had running except for Norton and Firefox, as well as the programs needed for diagnosis.

I would also like to note that the GMER scan didn't finish. I tried doing it four times, the first three times my computer randomly restarted in the middle of the scan (after like 3 hours of scanning), and the last time it just froze. So I am attaching what it got out of the scan it did complete, and hopefully that is sufficient. If it absolutely needs to be finished, I will try again to complete it.

Here is the DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Kate the Great at 11:05:21.84 on 20/01/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.2.1033.18.3002.1288 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\BOINC\boinctray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CaledosLAB\Caledos Automatic Wallpaper Changer\CaledosWallpaper6.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\conime.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Kate the Great\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PimpFish Toolbar Opcode Handler: {29c88e20-4234-41b9-a9db-982958c95fb1} - c:\program files\pimpfish\PimpFish.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
TB: PimpFish: {d593de91-7b41-45c2-830e-e9a99ab142aa} - c:\program files\pimpfish\PimpFish.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [atmxmld9] rundll32.exe "c:\users\kate the great\appdata\local\atmxmld9\atmxmld9.dll", DllInit
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\users\kateth~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\kate the great\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\caledo~1.lnk - c:\windows\installer\{04febc27-d0c2-408c-818f-232367cbf48e}\_B4DEF8A0EADF742B6C2287.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\kateth~1\appdata\roaming\mozilla\firefox\profiles\acsler5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-11-30 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-11-30 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-11-30 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100119.001\IDSvix86.sys [2010-1-19 343088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-3 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-30 112128]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2009-11-30 48688]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2010-1-11 17792]
S2 gupdate1ca721c322e7448;Google Update Service (gupdate1ca721c322e7448);c:\program files\google\update\GoogleUpdate.exe [2009-11-30 133104]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]

=============== Created Last 30 ================

2010-01-19 01:16:37 0 d-----w- c:\windows\system32\eu-ES
2010-01-19 01:16:37 0 d-----w- c:\windows\system32\ca-ES
2010-01-19 01:16:36 0 d-----w- c:\windows\system32\vi-VN
2010-01-19 00:43:16 0 d-----w- c:\windows\system32\EventProviders
2010-01-19 00:39:04 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-01-19 00:37:59 37376 ----a-w- c:\windows\system32\EhStorPwdMgr.dll
2010-01-19 00:36:59 89088 ----a-w- c:\windows\system32\pintlgnt.ime
2010-01-19 00:35:58 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-01-19 00:35:58 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-01-19 00:35:30 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-01-17 21:44:08 0 d-----w- c:\program files\CCleaner
2010-01-17 21:38:22 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-17 21:38:22 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 21:34:29 0 d-----w- c:\programdata\TEMP
2010-01-17 21:34:20 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-01-17 21:34:18 0 d-----w- c:\program files\SpywareBlaster
2010-01-13 13:13:57 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 13:13:57 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 03:44:50 0 d-----w- c:\users\kateth~1\appdata\roaming\Avnex
2010-01-12 03:44:25 0 d-----w- c:\program files\AV Vcs 7.0 GOLD
2010-01-12 00:32:16 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2010-01-11 23:41:31 0 d-----w- c:\windows\system32\appmgmt
2010-01-11 20:31:05 0 d-----w- c:\programdata\Screaming Bee
2010-01-11 02:21:08 0 d-----w- C:\vcs5BGEffects
2010-01-11 02:21:06 0 d-----w- C:\vcs5core
2010-01-11 02:21:06 0 d-----w- C:\AV_LOGS
2010-01-11 02:20:10 0 d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-06 17:24:33 0 d-----w- c:\program files\gs
2009-12-31 06:52:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-12-24 17:18:43 0 d-----w- c:\program files\SmartSoftVideoConverterPro
2009-12-22 03:49:00 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-12-22 03:45:51 0 d-----r- c:\program files\Skype
2009-12-22 03:45:40 0 d-----w- c:\programdata\Skype

==================== Find3M ====================

2010-01-19 01:23:50 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-19 01:23:50 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-19 01:23:50 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-19 01:16:21 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-19 01:00:04 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-20 05:13:34 624640 ----a-w- c:\windows\Twittearth.scr
2009-12-01 01:49:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-01 01:02:08 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-01 01:02:08 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-01 01:02:08 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-01 01:01:58 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-01 01:01:58 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-12-01 01:01:52 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-11-30 23:48:56 0 --sha-r- c:\windows\system32\drivers\103C_HP_cNB_G60 Notebook PC_Y5335KV_0U_Q2CE9031S83_E508164-121_4A_I3612_SWistron_V09.66_F.52_T090826_WV6-1_L409_M3003_J250_7Intel_86FD_92.17_#090617_N10EC8136;168C001C_(NR647UA#ABC)_XMOBILE_CN10_Z_2PCID.MRK
2009-11-30 23:35:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-11-26 0534 34384 ----a-w- c:\windows\system32\drivers\ScreamingBAudio.sys
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 00:47:32 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-06 21:58:00 803584 ----a-w- c:\windows\boinc.scr
2009-11-05 13:39:40 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2008-01-21 02:43:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:07:02.42 ===============
Attached Files
File Type: zip attach.zip (2.8 KB, 3 views)
bizzare_czar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-22-2010, 08:45 PM   #2 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,918
OS: XP Pro, Windows 7, Ubuntu


Re: pages redirect to advertisements
Hello and welcome to TSF

I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.



We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See this link for instructions on how to do this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-23-2010, 03:48 PM   #3 (permalink)
Registered User
 
bizzare_czar's Avatar
 
Join Date: Jul 2009
Location: Kitchener, Ontario, Canada
Posts: 8
OS: Vista Bus. SP 2 & Ubuntu 9.10


Send a message via Yahoo to bizzare_czar
Re: pages redirect to advertisements
Here is the text file ComboFix created after I ran the program. It created a file called ComboFix.txt, and a log.txt. I have included the former, but if you need the log, I can attach that too. Here it is:

ComboFix 10-01-23.02 - Kate the Great 23/01/2010 18:05:58.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.2.1033.18.3002.1726 [GMT -5:00]
Running from: c:\users\Kate the Great\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Kate the Great\AppData\Local\atmxmld9\atmxmld9.dll
c:\windows\Help\help
c:\windows\Help\help\en-US\Help.h1c
c:\windows\Help\help\en-US\Help.H1T
c:\windows\Help\help\en-US\Help_AssetId.H1K
c:\windows\Help\help\en-US\Help_BestBet.H1K
c:\windows\Help\help\en-US\Help_LinkTerm.H1K
c:\windows\Help\help\en-US\Help_SubjectTerm.H1K
c:\windows\Help\help\en-US\resources.H1S
c:\windows\Help\help\en-US\stopwrds.stp
c:\windows\Help\help\en-US\stylec.h1s
c:\windows\system32\ccrpTmr6.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-23 23:13 . 2010-01-23 23:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-23 23:04 . 2010-01-23 23:04 -------- d-----w- C:\32788R22FWJFW
2010-01-20 17:49 . 2010-01-21 22:00 -------- d-----w- c:\users\Kate the Great\AppData\Local\Adobe
2010-01-20 17:40 . 2010-01-20 17:40 -------- d-----w- c:\program files\Lame for Audacity
2010-01-20 17:38 . 2010-01-20 17:38 -------- d-----w- c:\program files\Audacity
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\ca-ES
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\eu-ES
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\vi-VN
2010-01-19 00:43 . 2010-01-19 00:43 -------- d-----w- c:\windows\system32\EventProviders
2010-01-19 00:39 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-01-19 00:36 . 2009-04-11 06:28 1671680 ----a-w- c:\windows\system32\wlanpref.dll
2010-01-19 00:35 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-01-19 00:35 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-01-19 00:35 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-01-17 21:44 . 2010-01-17 21:44 -------- d-----w- c:\program files\CCleaner
2010-01-17 21:38 . 2010-01-19 09:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 21:38 . 2010-01-17 22:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-17 21:34 . 2005-08-26 00:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-01-17 21:34 . 2010-01-17 21:36 -------- d-----w- c:\program files\SpywareBlaster
2010-01-13 13:13 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 13:13 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 03:44 . 2010-01-12 03:44 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Avnex
2010-01-12 03:44 . 2010-01-12 03:45 -------- d-----w- c:\program files\AV Vcs 7.0 GOLD
2010-01-12 00:32 . 2008-12-26 17:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2010-01-11 23:40 . 2010-01-23 23:12 -------- d-----w- c:\users\Kate the Great\AppData\Local\atmxmld9
2010-01-11 20:31 . 2010-01-11 23:41 -------- d-----w- c:\programdata\Screaming Bee
2010-01-11 02:21 . 2010-01-11 02:26 -------- d-----w- C:\vcs5BGEffects
2010-01-11 02:21 . 2010-01-12 00:36 -------- d-----w- C:\AV_LOGS
2010-01-11 02:21 . 2010-01-11 02:28 -------- d-----w- C:\vcs5core
2010-01-11 02:20 . 2010-01-11 02:38 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-06 17:25 . 2010-01-11 16:27 -------- d-----w- c:\users\Kate the Great\AppData\Local\CutePDF Writer
2010-01-06 17:24 . 2010-01-06 17:24 -------- d-----w- c:\program files\gs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 22:48 . 2009-12-22 03:47 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Skype
2010-01-23 22:48 . 2009-12-01 00:15 -------- d-----w- c:\programdata\BOINC
2010-01-23 21:00 . 2009-12-22 03:48 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\skypePM
2010-01-23 00:24 . 2009-12-03 19:41 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Dropbox
2010-01-22 22:40 . 2009-12-01 00:28 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\uTorrent
2010-01-21 00:17 . 2009-12-01 00:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 00:00 . 2009-12-01 03:00 -------- d-----w- c:\programdata\Messenger Plus!
2010-01-19 23:47 . 2009-12-01 00:58 -------- d-----w- c:\program files\Messenger Plus! Live
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-19 01:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-19 01:16 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-14 16:12 . 2009-12-01 07:14 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 22:01 . 2009-12-05 23:41 -------- d-----w- c:\programdata\NOS
2010-01-04 15:30 . 2009-12-09 01:10 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\vlc
2010-01-02 06:38 . 2010-01-21 20:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 06:52 . 2009-12-31 06:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-12-24 17:18 . 2009-12-24 17:18 -------- d-----w- c:\program files\SmartSoftVideoConverterPro
2009-12-24 17:06 . 2009-12-24 17:06 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Roxio
2009-12-22 03:49 . 2009-12-22 03:49 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-12-22 03:46 . 2009-12-22 03:45 -------- d-----r- c:\program files\Skype
2009-12-22 03:45 . 2009-12-22 03:45 -------- d-----w- c:\program files\Common Files\Skype
2009-12-22 03:45 . 2009-12-22 03:45 -------- d-----w- c:\programdata\Skype
2009-12-20 05:13 . 2009-12-20 05:12 624640 ----a-w- c:\windows\Twittearth.scr
2009-12-20 05:11 . 2009-12-20 05:11 -------- d-----w- c:\program files\Primelabs
2009-12-20 05:08 . 2009-12-20 05:08 -------- d-----w- c:\program files\UselessCreations
2009-12-19 00:01 . 2009-12-18 19:32 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Winamp
2009-12-18 19:34 . 2009-12-01 00:31 -------- d-----w- c:\program files\Winamp
2009-12-18 19:32 . 2009-12-18 19:18 -------- d-----w- c:\program files\Winamp Detect
2009-12-17 14:34 . 2009-12-17 14:34 -------- d-----w- c:\programdata\WindowsSearch
2009-12-16 21:07 . 2009-12-16 21:06 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\acccore
2009-12-16 21:03 . 2009-12-16 21:03 -------- d-----w- c:\programdata\AIM
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\AIM
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\Common Files\AOL
2009-12-16 18:03 . 2009-12-16 18:03 -------- d-----w- c:\program files\YouTube Downloader
2009-12-16 17:59 . 2009-12-07 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-16 17:18 . 2009-12-16 17:17 -------- d-----w- c:\program files\Common Files\Real
2009-12-16 17:18 . 2009-12-16 17:18 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-16 17:17 . 2009-12-16 17:17 -------- d-----w- c:\program files\Real
2009-12-16 17:08 . 2009-12-16 17:08 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Zabersoft
2009-12-16 17:08 . 2009-12-16 16:59 -------- d-----w- c:\programdata\Zabersoft
2009-12-16 17:08 . 2009-12-16 16:59 -------- d-----w- c:\program files\PimpFish
2009-12-15 01:50 . 2009-12-08 00:52 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\HpUpdate
2009-12-13 22:20 . 2009-12-13 22:18 -------- d-----w- c:\programdata\WinZip
2009-12-12 03:01 . 2009-12-12 03:01 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Research In Motion
2009-12-11 15:44 . 2009-12-07 00:49 -------- d-----w- c:\program files\Java
2009-12-11 03:16 . 2009-12-11 03:16 -------- d-----w- c:\program files\MSXML 4.0
2009-12-11 03:01 . 2009-11-30 23:02 72568 ----a-w- c:\users\Kate the Great\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-10 19:25 . 2009-12-10 19:01 -------- d-----w- c:\program files\ViRC
2009-12-10 00:00 . 2009-11-30 23:42 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\InstallShield
2009-12-10 00:00 . 2009-12-10 00:00 -------- d-----w- c:\programdata\InstallShield
2009-12-09 23:59 . 2009-12-09 23:59 -------- d-----w- c:\programdata\Sonic
2009-12-09 23:58 . 2009-12-09 23:52 -------- d-----w- c:\programdata\Roxio
2009-12-09 23:54 . 2009-12-09 23:40 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-09 23:54 . 2009-12-01 00:19 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-09 23:53 . 2009-12-09 23:52 -------- d-----w- c:\program files\Roxio
2009-12-09 23:52 . 2009-12-09 23:52 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-09 23:52 . 2009-12-09 23:44 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-09 23:40 . 2009-12-02 20:38 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-12-09 23:40 . 2009-12-09 23:40 -------- d-----w- c:\programdata\Research In Motion
2009-12-08 00:55 . 2009-12-08 00:55 -------- d-----w- c:\program files\Hp
2009-12-07 15:43 . 2009-12-07 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-07 01:12 . 2009-12-07 01:12 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\OpenOffice.org
2009-12-07 00:53 . 2009-12-07 00:53 -------- d-----w- c:\program files\JRE
2009-12-07 00:53 . 2009-12-07 00:52 -------- d-----w- c:\program files\OpenOffice.org 3
2009-12-04 19:38 . 2009-12-04 19:38 -------- d-----w- c:\program files\Tweet Play List
2009-12-03 23:58 . 2009-11-30 23:36 -------- d-----w- c:\program files\CONEXANT
2009-12-03 20:57 . 2009-12-03 20:57 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\DivX
2009-12-02 20:38 . 2009-12-02 20:38 -------- d-----w- c:\program files\Research In Motion
2009-12-02 01:09 . 2009-12-01 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-01 13:02 . 2009-12-01 13:02 -------- d-----w- c:\programdata\Symantec
2009-12-01 03:28 . 2009-12-01 00:15 -------- d-----w- c:\program files\BOINC
2009-12-01 02:28 . 2009-12-01 02:28 -------- dc-h--w- c:\programdata\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-12-01 01:57 . 2009-12-01 01:57 -------- d-----w- c:\programdata\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-12-01 01:49 . 2009-12-01 01:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-01 01:02 . 2009-12-01 01:02 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-01 01:02 . 2009-12-01 01:02 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-01 01:02 . 2009-12-01 01:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-01 01:02 . 2009-12-01 01:02 -------- d-----w- c:\program files\Symantec
2009-12-01 01:01 . 2009-12-01 01:02 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-01 01:01 . 2009-12-01 01:02 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-12-01 01:01 . 2009-12-01 01:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-12-01 01:01 . 2009-12-01 01:01 -------- d-----w- c:\program files\Norton 360
2009-12-01 01:01 . 2009-12-01 01:00 -------- d-----w- c:\programdata\Norton
2009-12-01 01:00 . 2009-12-01 00:59 -------- d-----w- c:\programdata\NortonInstaller
2009-12-01 00:59 . 2009-12-01 00:59 -------- d-----w- c:\program files\NortonInstaller
2009-12-01 00:56 . 2009-12-01 00:56 -------- d-----w- c:\program files\Microsoft
2009-12-01 00:56 . 2009-12-01 00:56 -------- d-----w- c:\program files\Windows Live
2009-12-01 00:56 . 2009-12-01 00:56 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-01 00:51 . 2009-12-01 00:51 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-01 00:51 . 2009-12-01 00:51 -------- d-----w- c:\programdata\Symantec Temporary Files
2009-12-01 00:30 . 2009-12-01 00:30 -------- d-----w- c:\program files\VideoLAN
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-09-01 499768]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-11-06 4793088]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-11-06 58112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-16 198160]

c:\users\Kate the Great\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Caledos Wallpaper (startup).lnk - c:\windows\Installer\{04FEBC27-D0C2-408C-818F-232367CBF48E}\_B4DEF8A0EADF742B6C2287.exe [2009-11-30 82726]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a6,78,55,eb,a5,98,ca,01

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0305020.00B\SymEFA.sys [30/11/2009 8:01 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0305020.00B\BHDrvx86.sys [30/11/2009 8:01 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0305020.00B\cchpx86.sys [30/11/2009 8:01 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100119.001\IDSvix86.sys [19/01/2010 9:28 PM 343088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [30/11/2009 8:01 PM 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [17/01/2010 4:38 PM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/12/2009 3:37 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [30/06/2008 5:52 AM 112128]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0305020.00B\symndisv.sys [30/11/2009 8:01 PM 48688]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\System32\drivers\vcsvad.sys [11/01/2010 7:32 PM 17792]
S2 gupdate1ca721c322e7448;Google Update Service (gupdate1ca721c322e7448);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 7:21 PM 133104]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\System32\drivers\ScreamingBAudio.sys [26/11/2009 12:06 AM 34384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 00:20]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 00:20]

2010-01-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-01-17 20:31]

2010-01-23 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-01-17 20:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Kate the Great\AppData\Roaming\Mozilla\Firefox\Profiles\acsler5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-atmxmld9 - c:\users\Kate the Great\AppData\Local\atmxmld9\atmxmld9.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1020)
c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll
c:\windows\System32\shacct.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\conime.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-01-23 18:25:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-23 23:25

Pre-Run: 65,816,670,208 bytes free
Post-Run: 65,655,992,320 bytes free

- - End Of File - - 2712129DA105D88169AD25D5E89A4BB5
bizzare_czar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-23-2010, 04:45 PM   #4 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,918
OS: XP Pro, Windows 7, Ubuntu


Re: pages redirect to advertisements
Hello again,

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad and copy/paste the text in the codebox below into it:

Code:
DirLook::
c:\users\Kate the Great\AppData\Local\atmxmld9

RegLockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
Save this as "CFScript"




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

-------------------------

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

-----------------

Please provide the following logs with your next post:

C:\ComboFix.txt
Kaspersky Report

Also include an update on how your system is running
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-25-2010, 08:23 AM   #5 (permalink)
Registered User
 
bizzare_czar's Avatar
 
Join Date: Jul 2009
Location: Kitchener, Ontario, Canada
Posts: 8
OS: Vista Bus. SP 2 & Ubuntu 9.10


Send a message via Yahoo to bizzare_czar
Re: pages redirect to advertisements
Here is the results for the Kaspersky scan. I must note that the thing didn't give me an option to save as a text, but saved it as an HTML. This is a copy paste of that HTML:

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, January 25, 2010
Operating system: Microsoft Windows Vista Business Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, January 25, 2010 00:41:57
Records in database: 3367061
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
Scan statistics
Objects scanned 349551
Threats found 1
Infected objects found 4
Suspicious objects found 0
Scan duration 08:28:51

File name Threat Threats count
C:\Users\Kate the Great\Downloads\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Windows.old\Users\Kate the Great\Downloads\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Windows.old\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
F:\Kate\Downloads\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
Selected area has been scanned.

_______________________________________________________________________

Here is the log from ComboFix with that code drag and dropped into it:

ComboFix 10-01-23.02 - Kate the Great 24/01/2010 17:36:10.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.2.1033.18.3002.1102 [GMT -5:00]
Running from: c:\users\Kate the Great\Desktop\ComboFix.exe
Command switches used :: c:\users\Kate the Great\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-24 22:43 . 2010-01-24 22:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-24 22:43 . 2010-01-24 22:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-20 17:49 . 2010-01-21 22:00 -------- d-----w- c:\users\Kate the Great\AppData\Local\Adobe
2010-01-20 17:40 . 2010-01-20 17:40 -------- d-----w- c:\program files\Lame for Audacity
2010-01-20 17:38 . 2010-01-20 17:38 -------- d-----w- c:\program files\Audacity
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\ca-ES
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\eu-ES
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\vi-VN
2010-01-19 00:43 . 2010-01-19 00:43 -------- d-----w- c:\windows\system32\EventProviders
2010-01-19 00:39 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-01-19 00:36 . 2009-04-11 06:28 1671680 ----a-w- c:\windows\system32\wlanpref.dll
2010-01-19 00:35 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-01-19 00:35 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-01-19 00:35 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-01-17 21:44 . 2010-01-17 21:44 -------- d-----w- c:\program files\CCleaner
2010-01-17 21:38 . 2010-01-19 09:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 21:38 . 2010-01-17 22:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-17 21:34 . 2005-08-26 00:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-01-17 21:34 . 2010-01-17 21:36 -------- d-----w- c:\program files\SpywareBlaster
2010-01-13 13:13 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 13:13 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 00:32 . 2008-12-26 17:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2010-01-11 23:40 . 2010-01-23 23:12 -------- d-----w- c:\users\Kate the Great\AppData\Local\atmxmld9
2010-01-11 20:31 . 2010-01-11 23:41 -------- d-----w- c:\programdata\Screaming Bee
2010-01-11 02:21 . 2010-01-11 02:26 -------- d-----w- C:\vcs5BGEffects
2010-01-11 02:21 . 2010-01-12 00:36 -------- d-----w- C:\AV_LOGS
2010-01-11 02:21 . 2010-01-11 02:28 -------- d-----w- C:\vcs5core
2010-01-11 02:20 . 2010-01-11 02:38 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-06 17:25 . 2010-01-11 16:27 -------- d-----w- c:\users\Kate the Great\AppData\Local\CutePDF Writer
2010-01-06 17:24 . 2010-01-06 17:24 -------- d-----w- c:\program files\gs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 22:46 . 2009-12-01 00:28 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\uTorrent
2010-01-24 22:44 . 2009-12-22 03:47 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Skype
2010-01-24 22:42 . 2009-12-01 00:15 -------- d-----w- c:\programdata\BOINC
2010-01-24 21:27 . 2010-01-24 21:27 97 ----a-w- c:\programdata\BOINC\slots\4\metropolis_3.12_windows_intelx86.exe
2010-01-24 21:16 . 2010-01-24 21:16 97 ----a-w- c:\programdata\BOINC\slots\3\metropolis_3.12_windows_intelx86.exe
2010-01-24 21:07 . 2009-12-22 03:48 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\skypePM
2010-01-24 18:10 . 2010-01-24 18:10 88 ----a-w- c:\programdata\BOINC\slots\0\libfftw3f-3-1-1a_upx.dll
2010-01-24 18:10 . 2010-01-24 18:10 100 ----a-w- c:\programdata\BOINC\slots\0\setiathome_6.03_windows_intelx86.exe
2010-01-23 23:37 . 2009-12-03 19:41 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Dropbox
2010-01-23 16:57 . 2010-01-23 16:57 111 ----a-w- c:\programdata\BOINC\slots\1\einstein_S5R6_3.01_windows_intelx86__S5R6sse2.exe
2010-01-23 09:38 . 2010-01-23 09:38 76 ----a-w- c:\programdata\BOINC\slots\2\msvcr71.dll
2010-01-23 09:38 . 2010-01-23 09:38 76 ----a-w- c:\programdata\BOINC\slots\2\msvcp71.dll
2010-01-23 09:06 . 2010-01-23 06:46 19724316 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP2_3.03_graphics_windows_intelx86.exe
2010-01-23 07:10 . 2010-01-23 06:46 17273203 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP2_3.06_windows_intelx86.exe
2010-01-21 00:17 . 2009-12-01 00:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 00:00 . 2009-12-01 03:00 -------- d-----w- c:\programdata\Messenger Plus!
2010-01-19 23:47 . 2009-12-01 00:58 -------- d-----w- c:\program files\Messenger Plus! Live
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-19 01:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-19 01:16 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-18 18:38 . 2009-12-07 01:12 1 ----a-w- c:\users\Kate the Great\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-14 16:12 . 2009-12-01 07:14 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 12:07 . 2010-01-12 12:06 11293390 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einstein_S5R6_3.01_windows_intelx86__S5R6sse2.exe
2010-01-08 22:01 . 2009-12-05 23:41 -------- d-----w- c:\programdata\NOS
2010-01-04 15:30 . 2009-12-09 01:10 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\vlc
2010-01-02 06:38 . 2010-01-21 20:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 06:52 . 2009-12-31 06:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-12-24 17:18 . 2009-12-24 17:18 -------- d-----w- c:\program files\SmartSoftVideoConverterPro
2009-12-24 17:06 . 2009-12-24 17:06 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Roxio
2009-12-22 03:49 . 2009-12-22 03:49 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-12-22 03:46 . 2009-12-22 03:45 -------- d-----r- c:\program files\Skype
2009-12-22 03:45 . 2009-12-22 03:45 -------- d-----w- c:\program files\Common Files\Skype
2009-12-22 03:45 . 2009-12-22 03:45 -------- d-----w- c:\programdata\Skype
2009-12-20 05:13 . 2009-12-20 05:12 624640 ----a-w- c:\windows\Twittearth.scr
2009-12-20 05:11 . 2009-12-20 05:11 29926 ----a-r- c:\users\Kate the Great\AppData\Roaming\Microsoft\Installer\{EB711BC7-0FDF-460C-A00C-DF8E5E996037}\_6FEFF9B68218417F98F549.exe
2009-12-20 05:11 . 2009-12-20 05:11 -------- d-----w- c:\program files\Primelabs
2009-12-20 05:08 . 2009-12-20 05:08 -------- d-----w- c:\program files\UselessCreations
2009-12-19 00:01 . 2009-12-18 19:32 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Winamp
2009-12-18 19:34 . 2009-12-01 00:31 -------- d-----w- c:\program files\Winamp
2009-12-18 19:32 . 2009-12-18 19:18 -------- d-----w- c:\program files\Winamp Detect
2009-12-17 14:34 . 2009-12-17 14:34 -------- d-----w- c:\programdata\WindowsSearch
2009-12-16 21:07 . 2009-12-16 21:06 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\acccore
2009-12-16 21:03 . 2009-12-16 21:03 -------- d-----w- c:\programdata\AIM
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\AIM
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\Common Files\AOL
2009-12-16 18:03 . 2009-12-16 18:03 -------- d-----w- c:\program files\YouTube Downloader
2009-12-16 17:59 . 2009-12-07 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-16 17:18 . 2009-12-16 17:17 -------- d-----w- c:\program files\Common Files\Real
2009-12-16 17:18 . 2009-12-16 17:18 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-16 17:17 . 2009-12-16 17:17 -------- d-----w- c:\program files\Real
2009-12-16 17:08 . 2009-12-16 17:08 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Zabersoft
2009-12-16 17:08 . 2009-12-16 16:59 -------- d-----w- c:\programdata\Zabersoft
2009-12-16 17:08 . 2009-12-16 16:59 -------- d-----w- c:\program files\PimpFish
2009-12-16 00:23 . 2009-12-16 00:23 294912 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\ap_graphics_5.05_windows_intelx86.exe
2009-12-16 00:23 . 2009-12-16 00:23 479232 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\astropulse_5.05_windows_intelx86.exe
2009-12-15 01:50 . 2009-12-08 00:52 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\HpUpdate
2009-12-13 22:20 . 2009-12-13 22:18 -------- d-----w- c:\programdata\WinZip
2009-12-12 03:01 . 2009-12-12 03:01 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Research In Motion
2009-12-11 15:44 . 2009-12-07 00:49 -------- d-----w- c:\program files\Java
2009-12-11 03:16 . 2009-12-11 03:16 -------- d-----w- c:\program files\MSXML 4.0
2009-12-11 03:01 . 2009-11-30 23:02 72568 ----a-w- c:\users\Kate the Great\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-10 19:25 . 2009-12-10 19:01 -------- d-----w- c:\program files\ViRC
2009-12-10 00:00 . 2009-11-30 23:42 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\InstallShield
2009-12-10 00:00 . 2009-12-10 00:00 -------- d-----w- c:\programdata\InstallShield
2009-12-09 23:59 . 2009-12-09 23:59 -------- d-----w- c:\programdata\Sonic
2009-12-09 23:58 . 2009-12-09 23:52 -------- d-----w- c:\programdata\Roxio
2009-12-09 23:54 . 2009-12-09 23:40 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-09 23:54 . 2009-12-01 00:19 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-09 23:53 . 2009-12-09 23:52 -------- d-----w- c:\program files\Roxio
2009-12-09 23:52 . 2009-12-09 23:52 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-09 23:52 . 2009-12-09 23:44 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-09 23:40 . 2009-12-02 20:38 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-12-09 23:40 . 2009-12-09 23:40 -------- d-----w- c:\programdata\Research In Motion
2009-12-09 09:00 . 2010-01-24 17:46 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100124.004\CCERASER.DLL
2009-12-08 00:55 . 2009-12-08 00:55 -------- d-----w- c:\program files\Hp
2009-12-07 15:43 . 2009-12-07 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-07 15:42 . 2009-12-07 15:42 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-12-07 01:12 . 2009-12-07 01:12 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\OpenOffice.org
2009-12-07 00:53 . 2009-12-07 00:53 -------- d-----w- c:\program files\JRE
2009-12-07 00:53 . 2009-12-07 00:52 -------- d-----w- c:\program files\OpenOffice.org 3
2009-12-05 04:23 . 2009-12-05 04:23 499712 ----a-w- c:\programdata\BOINC\projects\szdg.lpds.sztaki.hu_szdg\msvcp71.dll
2009-12-05 04:23 . 2009-12-05 04:23 348160 ----a-w- c:\programdata\BOINC\projects\szdg.lpds.sztaki.hu_szdg\msvcr71.dll
2009-12-04 19:38 . 2009-12-04 19:38 -------- d-----w- c:\program files\Tweet Play List
2009-12-03 23:58 . 2009-11-30 23:36 -------- d-----w- c:\program files\CONEXANT
2009-12-03 20:57 . 2009-12-03 20:57 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\DivX
2009-12-03 19:42 . 2009-12-03 19:42 89962 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\Uninstall.exe
2009-12-02 20:38 . 2009-12-02 20:38 -------- d-----w- c:\program files\Research In Motion
2009-12-02 20:05 . 2009-12-02 19:50 20190183 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP1_3.12_windows_intelx86.exe
2009-12-02 20:05 . 2009-12-02 19:50 19724316 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP1_3.12_graphics_windows_intelx86.exe
2009-12-02 01:09 . 2009-12-01 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-01 13:02 . 2009-12-01 13:02 -------- d-----w- c:\programdata\Symantec
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Kate the Great\AppData\Local\atmxmld9 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-09-01 499768]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-11-06 4793088]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-11-06 58112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-16 198160]

c:\users\Kate the Great\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Caledos Wallpaper (startup).lnk - c:\windows\Installer\{04FEBC27-D0C2-408C-818F-232367CBF48E}\_B4DEF8A0EADF742B6C2287.exe [2009-11-30 82726]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a6,78,55,eb,a5,98,ca,01

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0305020.00B\SymEFA.sys [30/11/2009 8:01 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0305020.00B\BHDrvx86.sys [30/11/2009 8:01 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0305020.00B\cchpx86.sys [30/11/2009 8:01 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100119.001\IDSvix86.sys [19/01/2010 9:28 PM 343088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [30/11/2009 8:01 PM 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [17/01/2010 4:38 PM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/12/2009 3:37 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [30/06/2008 5:52 AM 112128]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0305020.00B\symndisv.sys [30/11/2009 8:01 PM 48688]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\System32\drivers\vcsvad.sys [11/01/2010 7:32 PM 17792]
S2 gupdate1ca721c322e7448;Google Update Service (gupdate1ca721c322e7448);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 7:21 PM 133104]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\System32\drivers\ScreamingBAudio.sys [26/11/2009 12:06 AM 34384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 00:20]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 00:20]

2010-01-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-01-17 20:31]

2010-01-24 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-01-17 20:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Kate the Great\AppData\Roaming\Mozilla\Firefox\Profiles\acsler5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 17:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4720)
c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\authui.dll
c:\windows\System32\srchadmin.dll
c:\windows\system32\PortableDeviceTypes.dll
.
Completion time: 2010-01-24 17:50:50
ComboFix-quarantined-files.txt 2010-01-24 22:50
ComboFix2.txt 2010-01-23 23:25

Pre-Run: 64,842,366,976 bytes free
Post-Run: 64,799,395,840 bytes free

- - End Of File - - 17FBF2621D5297588E0DE0B4C5D0D033


Hopefully those are correct. My computer is running about the same, but I haven't used it or Google very much in the past few days, so it could be better for all I know.
bizzare_czar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-25-2010, 09:30 AM   #6 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,918
OS: XP Pro, Windows 7, Ubuntu


Re: pages redirect to advertisements
Please delete your current copy of ComboFix and download a new copy from one of these locations:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

---------------------

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad and copy/paste the text in the codebox below into it:

Code:
Folder::
c:\users\Kate the Great\AppData\Local\atmxmld9
Save this as "CFScript"




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

-----------------------

Is Norton working properly for you? Please also check to see if you are getting redirected.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-25-2010, 05:48 PM   #7 (permalink)
Registered User
 
bizzare_czar's Avatar
 
Join Date: Jul 2009
Location: Kitchener, Ontario, Canada
Posts: 8
OS: Vista Bus. SP 2 & Ubuntu 9.10


Send a message via Yahoo to bizzare_czar
Re: pages redirect to advertisements
Here is the resulting log from the CFScript in ComboFix:

ComboFix 10-01-23.02 - Kate the Great 24/01/2010 17:36:10.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.2.1033.18.3002.1102 [GMT -5:00]
Running from: c:\users\Kate the Great\Desktop\ComboFix.exe
Command switches used :: c:\users\Kate the Great\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-24 22:43 . 2010-01-24 22:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-24 22:43 . 2010-01-24 22:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-20 17:49 . 2010-01-21 22:00 -------- d-----w- c:\users\Kate the Great\AppData\Local\Adobe
2010-01-20 17:40 . 2010-01-20 17:40 -------- d-----w- c:\program files\Lame for Audacity
2010-01-20 17:38 . 2010-01-20 17:38 -------- d-----w- c:\program files\Audacity
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\ca-ES
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\eu-ES
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\vi-VN
2010-01-19 00:43 . 2010-01-19 00:43 -------- d-----w- c:\windows\system32\EventProviders
2010-01-19 00:39 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-01-19 00:36 . 2009-04-11 06:28 1671680 ----a-w- c:\windows\system32\wlanpref.dll
2010-01-19 00:35 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-01-19 00:35 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-01-19 00:35 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-01-17 21:44 . 2010-01-17 21:44 -------- d-----w- c:\program files\CCleaner
2010-01-17 21:38 . 2010-01-19 09:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 21:38 . 2010-01-17 22:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-17 21:34 . 2005-08-26 00:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-01-17 21:34 . 2010-01-17 21:36 -------- d-----w- c:\program files\SpywareBlaster
2010-01-13 13:13 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 13:13 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 00:32 . 2008-12-26 17:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2010-01-11 23:40 . 2010-01-23 23:12 -------- d-----w- c:\users\Kate the Great\AppData\Local\atmxmld9
2010-01-11 20:31 . 2010-01-11 23:41 -------- d-----w- c:\programdata\Screaming Bee
2010-01-11 02:21 . 2010-01-11 02:26 -------- d-----w- C:\vcs5BGEffects
2010-01-11 02:21 . 2010-01-12 00:36 -------- d-----w- C:\AV_LOGS
2010-01-11 02:21 . 2010-01-11 02:28 -------- d-----w- C:\vcs5core
2010-01-11 02:20 . 2010-01-11 02:38 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-06 17:25 . 2010-01-11 16:27 -------- d-----w- c:\users\Kate the Great\AppData\Local\CutePDF Writer
2010-01-06 17:24 . 2010-01-06 17:24 -------- d-----w- c:\program files\gs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 22:46 . 2009-12-01 00:28 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\uTorrent
2010-01-24 22:44 . 2009-12-22 03:47 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Skype
2010-01-24 22:42 . 2009-12-01 00:15 -------- d-----w- c:\programdata\BOINC
2010-01-24 21:27 . 2010-01-24 21:27 97 ----a-w- c:\programdata\BOINC\slots\4\metropolis_3.12_windows_intelx86.exe
2010-01-24 21:16 . 2010-01-24 21:16 97 ----a-w- c:\programdata\BOINC\slots\3\metropolis_3.12_windows_intelx86.exe
2010-01-24 21:07 . 2009-12-22 03:48 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\skypePM
2010-01-24 18:10 . 2010-01-24 18:10 88 ----a-w- c:\programdata\BOINC\slots\0\libfftw3f-3-1-1a_upx.dll
2010-01-24 18:10 . 2010-01-24 18:10 100 ----a-w- c:\programdata\BOINC\slots\0\setiathome_6.03_windows_intelx86.exe
2010-01-23 23:37 . 2009-12-03 19:41 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Dropbox
2010-01-23 16:57 . 2010-01-23 16:57 111 ----a-w- c:\programdata\BOINC\slots\1\einstein_S5R6_3.01_windows_intelx86__S5R6sse2.exe
2010-01-23 09:38 . 2010-01-23 09:38 76 ----a-w- c:\programdata\BOINC\slots\2\msvcr71.dll
2010-01-23 09:38 . 2010-01-23 09:38 76 ----a-w- c:\programdata\BOINC\slots\2\msvcp71.dll
2010-01-23 09:06 . 2010-01-23 06:46 19724316 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP2_3.03_graphics_windows_intelx86.exe
2010-01-23 07:10 . 2010-01-23 06:46 17273203 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP2_3.06_windows_intelx86.exe
2010-01-21 00:17 . 2009-12-01 00:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 00:00 . 2009-12-01 03:00 -------- d-----w- c:\programdata\Messenger Plus!
2010-01-19 23:47 . 2009-12-01 00:58 -------- d-----w- c:\program files\Messenger Plus! Live
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-19 01:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-19 01:16 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-18 18:38 . 2009-12-07 01:12 1 ----a-w- c:\users\Kate the Great\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-14 16:12 . 2009-12-01 07:14 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 12:07 . 2010-01-12 12:06 11293390 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einstein_S5R6_3.01_windows_intelx86__S5R6sse2.exe
2010-01-08 22:01 . 2009-12-05 23:41 -------- d-----w- c:\programdata\NOS
2010-01-04 15:30 . 2009-12-09 01:10 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\vlc
2010-01-02 06:38 . 2010-01-21 20:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 06:52 . 2009-12-31 06:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-12-24 17:18 . 2009-12-24 17:18 -------- d-----w- c:\program files\SmartSoftVideoConverterPro
2009-12-24 17:06 . 2009-12-24 17:06 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Roxio
2009-12-22 03:49 . 2009-12-22 03:49 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-12-22 03:46 . 2009-12-22 03:45 -------- d-----r- c:\program files\Skype
2009-12-22 03:45 . 2009-12-22 03:45 -------- d-----w- c:\program files\Common Files\Skype
2009-12-22 03:45 . 2009-12-22 03:45 -------- d-----w- c:\programdata\Skype
2009-12-20 05:13 . 2009-12-20 05:12 624640 ----a-w- c:\windows\Twittearth.scr
2009-12-20 05:11 . 2009-12-20 05:11 29926 ----a-r- c:\users\Kate the Great\AppData\Roaming\Microsoft\Installer\{EB711BC7-0FDF-460C-A00C-DF8E5E996037}\_6FEFF9B68218417F98F549.exe
2009-12-20 05:11 . 2009-12-20 05:11 -------- d-----w- c:\program files\Primelabs
2009-12-20 05:08 . 2009-12-20 05:08 -------- d-----w- c:\program files\UselessCreations
2009-12-19 00:01 . 2009-12-18 19:32 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Winamp
2009-12-18 19:34 . 2009-12-01 00:31 -------- d-----w- c:\program files\Winamp
2009-12-18 19:32 . 2009-12-18 19:18 -------- d-----w- c:\program files\Winamp Detect
2009-12-17 14:34 . 2009-12-17 14:34 -------- d-----w- c:\programdata\WindowsSearch
2009-12-16 21:07 . 2009-12-16 21:06 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\acccore
2009-12-16 21:03 . 2009-12-16 21:03 -------- d-----w- c:\programdata\AIM
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\AIM
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\Common Files\AOL
2009-12-16 18:03 . 2009-12-16 18:03 -------- d-----w- c:\program files\YouTube Downloader
2009-12-16 17:59 . 2009-12-07 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-16 17:18 . 2009-12-16 17:17 -------- d-----w- c:\program files\Common Files\Real
2009-12-16 17:18 . 2009-12-16 17:18 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-16 17:17 . 2009-12-16 17:17 -------- d-----w- c:\program files\Real
2009-12-16 17:08 . 2009-12-16 17:08 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Zabersoft
2009-12-16 17:08 . 2009-12-16 16:59 -------- d-----w- c:\programdata\Zabersoft
2009-12-16 17:08 . 2009-12-16 16:59 -------- d-----w- c:\program files\PimpFish
2009-12-16 00:23 . 2009-12-16 00:23 294912 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\ap_graphics_5.05_windows_intelx86.exe
2009-12-16 00:23 . 2009-12-16 00:23 479232 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\astropulse_5.05_windows_intelx86.exe
2009-12-15 01:50 . 2009-12-08 00:52 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\HpUpdate
2009-12-13 22:20 . 2009-12-13 22:18 -------- d-----w- c:\programdata\WinZip
2009-12-12 03:01 . 2009-12-12 03:01 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Research In Motion
2009-12-11 15:44 . 2009-12-07 00:49 -------- d-----w- c:\program files\Java
2009-12-11 03:16 . 2009-12-11 03:16 -------- d-----w- c:\program files\MSXML 4.0
2009-12-11 03:01 . 2009-11-30 23:02 72568 ----a-w- c:\users\Kate the Great\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-10 19:25 . 2009-12-10 19:01 -------- d-----w- c:\program files\ViRC
2009-12-10 00:00 . 2009-11-30 23:42 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\InstallShield
2009-12-10 00:00 . 2009-12-10 00:00 -------- d-----w- c:\programdata\InstallShield
2009-12-09 23:59 . 2009-12-09 23:59 -------- d-----w- c:\programdata\Sonic
2009-12-09 23:58 . 2009-12-09 23:52 -------- d-----w- c:\programdata\Roxio
2009-12-09 23:54 . 2009-12-09 23:40 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-09 23:54 . 2009-12-01 00:19 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-09 23:53 . 2009-12-09 23:52 -------- d-----w- c:\program files\Roxio
2009-12-09 23:52 . 2009-12-09 23:52 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-09 23:52 . 2009-12-09 23:44 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-09 23:40 . 2009-12-02 20:38 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-12-09 23:40 . 2009-12-09 23:40 -------- d-----w- c:\programdata\Research In Motion
2009-12-09 09:00 . 2010-01-24 17:46 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100124.004\CCERASER.DLL
2009-12-08 00:55 . 2009-12-08 00:55 -------- d-----w- c:\program files\Hp
2009-12-07 15:43 . 2009-12-07 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-07 15:42 . 2009-12-07 15:42 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-12-07 01:12 . 2009-12-07 01:12 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\OpenOffice.org
2009-12-07 00:53 . 2009-12-07 00:53 -------- d-----w- c:\program files\JRE
2009-12-07 00:53 . 2009-12-07 00:52 -------- d-----w- c:\program files\OpenOffice.org 3
2009-12-05 04:23 . 2009-12-05 04:23 499712 ----a-w- c:\programdata\BOINC\projects\szdg.lpds.sztaki.hu_szdg\msvcp71.dll
2009-12-05 04:23 . 2009-12-05 04:23 348160 ----a-w- c:\programdata\BOINC\projects\szdg.lpds.sztaki.hu_szdg\msvcr71.dll
2009-12-04 19:38 . 2009-12-04 19:38 -------- d-----w- c:\program files\Tweet Play List
2009-12-03 23:58 . 2009-11-30 23:36 -------- d-----w- c:\program files\CONEXANT
2009-12-03 20:57 . 2009-12-03 20:57 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\DivX
2009-12-03 19:42 . 2009-12-03 19:42 89962 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\Uninstall.exe
2009-12-02 20:38 . 2009-12-02 20:38 -------- d-----w- c:\program files\Research In Motion
2009-12-02 20:05 . 2009-12-02 19:50 20190183 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP1_3.12_windows_intelx86.exe
2009-12-02 20:05 . 2009-12-02 19:50 19724316 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP1_3.12_graphics_windows_intelx86.exe
2009-12-02 01:09 . 2009-12-01 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-01 13:02 . 2009-12-01 13:02 -------- d-----w- c:\programdata\Symantec
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Kate the Great\AppData\Local\atmxmld9 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-09-01 499768]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-11-06 4793088]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-11-06 58112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-16 198160]

c:\users\Kate the Great\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Caledos Wallpaper (startup).lnk - c:\windows\Installer\{04FEBC27-D0C2-408C-818F-232367CBF48E}\_B4DEF8A0EADF742B6C2287.exe [2009-11-30 82726]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a6,78,55,eb,a5,98,ca,01

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0305020.00B\SymEFA.sys [30/11/2009 8:01 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0305020.00B\BHDrvx86.sys [30/11/2009 8:01 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0305020.00B\cchpx86.sys [30/11/2009 8:01 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100119.001\IDSvix86.sys [19/01/2010 9:28 PM 343088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [30/11/2009 8:01 PM 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [17/01/2010 4:38 PM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/12/2009 3:37 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [30/06/2008 5:52 AM 112128]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0305020.00B\symndisv.sys [30/11/2009 8:01 PM 48688]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\System32\drivers\vcsvad.sys [11/01/2010 7:32 PM 17792]
S2 gupdate1ca721c322e7448;Google Update Service (gupdate1ca721c322e7448);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 7:21 PM 133104]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\System32\drivers\ScreamingBAudio.sys [26/11/2009 12:06 AM 34384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 00:20]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 00:20]

2010-01-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-01-17 20:31]

2010-01-24 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-01-17 20:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Kate the Great\AppData\Roaming\Mozilla\Firefox\Profiles\acsler5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 17:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4720)
c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\authui.dll
c:\windows\System32\srchadmin.dll
c:\windows\system32\PortableDeviceTypes.dll
.
Completion time: 2010-01-24 17:50:50
ComboFix-quarantined-files.txt 2010-01-24 22:50
ComboFix2.txt 2010-01-23 23:25

Pre-Run: 64,842,366,976 bytes free
Post-Run: 64,799,395,840 bytes free

- - End Of File - - 17FBF2621D5297588E0DE0B4C5D0D033
bizzare_czar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-25-2010, 07:30 PM   #8 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,918
OS: XP Pro, Windows 7, Ubuntu


Re: pages redirect to advertisements
You posted the same log as your last post. Please follow my last set of instructions.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-26-2010, 09:55 AM   #9 (permalink)
Registered User
 
bizzare_czar's Avatar
 
Join Date: Jul 2009
Location: Kitchener, Ontario, Canada
Posts: 8
OS: Vista Bus. SP 2 & Ubuntu 9.10


Send a message via Yahoo to bizzare_czar
Re: pages redirect to advertisements
When ComboFix finishes, just before it closes, it says "log will be at C:/ComboFix.txt" (which I didn't see before), but when it is done, it opens up a file log.txt from the desktop. So I will post ComboFix.txt:

ComboFix 10-01-26.01 - Kate the Great 26/01/2010 12:26:10.4.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.2.1033.18.3002.1611 [GMT -5:00]
Running from: c:\users\Kate the Great\Desktop\ComboFix.exe
Command switches used :: c:\users\Kate the Great\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 17:33 . 2010-01-26 17:33 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-26 17:33 . 2010-01-26 17:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-25 00:55 . 2010-01-25 00:55 -------- d-----w- c:\windows\Sun
2010-01-20 17:49 . 2010-01-25 16:10 -------- d-----w- c:\users\Kate the Great\AppData\Local\Adobe
2010-01-20 17:40 . 2010-01-20 17:40 -------- d-----w- c:\program files\Lame for Audacity
2010-01-20 17:38 . 2010-01-20 17:38 -------- d-----w- c:\program files\Audacity
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\ca-ES
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\eu-ES
2010-01-19 01:16 . 2010-01-19 01:17 -------- d-----w- c:\windows\system32\vi-VN
2010-01-19 00:43 . 2010-01-19 00:43 -------- d-----w- c:\windows\system32\EventProviders
2010-01-19 00:39 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-01-19 00:36 . 2009-04-11 06:28 1671680 ----a-w- c:\windows\system32\wlanpref.dll
2010-01-19 00:35 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-01-19 00:35 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-01-19 00:35 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-01-17 21:44 . 2010-01-17 21:44 -------- d-----w- c:\program files\CCleaner
2010-01-17 21:38 . 2010-01-19 09:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 21:38 . 2010-01-17 22:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-17 21:34 . 2005-08-26 00:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-01-17 21:34 . 2010-01-17 21:36 -------- d-----w- c:\program files\SpywareBlaster
2010-01-13 13:13 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 13:13 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 00:32 . 2008-12-26 17:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2010-01-11 20:31 . 2010-01-11 23:41 -------- d-----w- c:\programdata\Screaming Bee
2010-01-11 02:21 . 2010-01-11 02:26 -------- d-----w- C:\vcs5BGEffects
2010-01-11 02:21 . 2010-01-12 00:36 -------- d-----w- C:\AV_LOGS
2010-01-11 02:21 . 2010-01-11 02:28 -------- d-----w- C:\vcs5core
2010-01-11 02:20 . 2010-01-11 02:38 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-06 17:25 . 2010-01-11 16:27 -------- d-----w- c:\users\Kate the Great\AppData\Local\CutePDF Writer
2010-01-06 17:24 . 2010-01-06 17:24 -------- d-----w- c:\program files\gs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 17:32 . 2009-12-01 00:15 -------- d-----w- c:\programdata\BOINC
2010-01-26 14:10 . 2010-01-26 14:10 97 ----a-w- c:\programdata\BOINC\slots\3\metropolis_3.12_windows_intelx86.exe
2010-01-26 05:59 . 2010-01-26 05:59 76 ----a-w- c:\programdata\BOINC\slots\2\msvcr71.dll
2010-01-26 05:59 . 2010-01-26 05:59 76 ----a-w- c:\programdata\BOINC\slots\2\msvcp71.dll
2010-01-26 01:43 . 2009-12-22 03:47 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Skype
2010-01-26 01:42 . 2009-12-22 03:48 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\skypePM
2010-01-26 01:42 . 2009-12-03 19:41 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Dropbox
2010-01-25 19:05 . 2009-12-01 00:28 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\uTorrent
2010-01-25 19:01 . 2009-12-09 01:10 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\vlc
2010-01-25 17:05 . 2009-12-07 15:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-24 18:10 . 2010-01-24 18:10 88 ----a-w- c:\programdata\BOINC\slots\0\libfftw3f-3-1-1a_upx.dll
2010-01-24 18:10 . 2010-01-24 18:10 100 ----a-w- c:\programdata\BOINC\slots\0\setiathome_6.03_windows_intelx86.exe
2010-01-23 16:57 . 2010-01-23 16:57 111 ----a-w- c:\programdata\BOINC\slots\1\einstein_S5R6_3.01_windows_intelx86__S5R6sse2.exe
2010-01-23 09:06 . 2010-01-23 06:46 19724316 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP2_3.03_graphics_windows_intelx86.exe
2010-01-23 07:10 . 2010-01-23 06:46 17273203 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP2_3.06_windows_intelx86.exe
2010-01-21 00:17 . 2009-12-01 00:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 00:00 . 2009-12-01 03:00 -------- d-----w- c:\programdata\Messenger Plus!
2010-01-19 23:47 . 2009-12-01 00:58 -------- d-----w- c:\program files\Messenger Plus! Live
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-19 01:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-19 01:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-19 01:16 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-18 18:38 . 2009-12-07 01:12 1 ----a-w- c:\users\Kate the Great\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-14 16:12 . 2009-12-01 07:14 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 12:07 . 2010-01-12 12:06 11293390 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einstein_S5R6_3.01_windows_intelx86__S5R6sse2.exe
2010-01-08 22:01 . 2009-12-05 23:41 -------- d-----w- c:\programdata\NOS
2010-01-02 06:38 . 2010-01-21 20:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 20:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 20:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 06:52 . 2009-12-31 06:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-12-24 17:18 . 2009-12-24 17:18 -------- d-----w- c:\program files\SmartSoftVideoConverterPro
2009-12-24 17:06 . 2009-12-24 17:06 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Roxio
2009-12-22 03:49 . 2009-12-22 03:49 56 ---ha-w- c:\programdata\ezsidmv.dat
2009-12-22 03:46 . 2009-12-22 03:45 -------- d-----r- c:\program files\Skype
2009-12-22 03:45 . 2009-12-22 03:45 -------- d-----w- c:\program files\Common Files\Skype
2009-12-22 03:45 . 2009-12-22 03:45 -------- d-----w- c:\programdata\Skype
2009-12-20 05:13 . 2009-12-20 05:12 624640 ----a-w- c:\windows\Twittearth.scr
2009-12-20 05:11 . 2009-12-20 05:11 29926 ----a-r- c:\users\Kate the Great\AppData\Roaming\Microsoft\Installer\{EB711BC7-0FDF-460C-A00C-DF8E5E996037}\_6FEFF9B68218417F98F549.exe
2009-12-20 05:11 . 2009-12-20 05:11 -------- d-----w- c:\program files\Primelabs
2009-12-20 05:08 . 2009-12-20 05:08 -------- d-----w- c:\program files\UselessCreations
2009-12-19 00:01 . 2009-12-18 19:32 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Winamp
2009-12-18 19:34 . 2009-12-01 00:31 -------- d-----w- c:\program files\Winamp
2009-12-18 19:32 . 2009-12-18 19:18 -------- d-----w- c:\program files\Winamp Detect
2009-12-17 14:34 . 2009-12-17 14:34 -------- d-----w- c:\programdata\WindowsSearch
2009-12-16 21:07 . 2009-12-16 21:06 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\acccore
2009-12-16 21:03 . 2009-12-16 21:03 -------- d-----w- c:\programdata\AIM
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\AIM
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-12-16 21:02 . 2009-12-16 21:02 -------- d-----w- c:\program files\Common Files\AOL
2009-12-16 18:03 . 2009-12-16 18:03 -------- d-----w- c:\program files\YouTube Downloader
2009-12-16 17:18 . 2009-12-16 17:17 -------- d-----w- c:\program files\Common Files\Real
2009-12-16 17:18 . 2009-12-16 17:18 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-16 17:17 . 2009-12-16 17:17 -------- d-----w- c:\program files\Real
2009-12-16 17:08 . 2009-12-16 17:08 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Zabersoft
2009-12-16 17:08 . 2009-12-16 16:59 -------- d-----w- c:\programdata\Zabersoft
2009-12-16 17:08 . 2009-12-16 16:59 -------- d-----w- c:\program files\PimpFish
2009-12-16 00:23 . 2009-12-16 00:23 294912 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\ap_graphics_5.05_windows_intelx86.exe
2009-12-16 00:23 . 2009-12-16 00:23 479232 ----a-w- c:\programdata\BOINC\projects\setiathome.berkeley.edu\astropulse_5.05_windows_intelx86.exe
2009-12-15 01:50 . 2009-12-08 00:52 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\HpUpdate
2009-12-13 22:20 . 2009-12-13 22:18 -------- d-----w- c:\programdata\WinZip
2009-12-12 03:01 . 2009-12-12 03:01 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\Research In Motion
2009-12-11 15:44 . 2009-12-07 00:49 -------- d-----w- c:\program files\Java
2009-12-11 03:16 . 2009-12-11 03:16 -------- d-----w- c:\program files\MSXML 4.0
2009-12-11 03:01 . 2009-11-30 23:02 72568 ----a-w- c:\users\Kate the Great\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-10 19:25 . 2009-12-10 19:01 -------- d-----w- c:\program files\ViRC
2009-12-10 00:00 . 2009-11-30 23:42 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\InstallShield
2009-12-10 00:00 . 2009-12-10 00:00 -------- d-----w- c:\programdata\InstallShield
2009-12-09 23:59 . 2009-12-09 23:59 -------- d-----w- c:\programdata\Sonic
2009-12-09 23:58 . 2009-12-09 23:52 -------- d-----w- c:\programdata\Roxio
2009-12-09 23:54 . 2009-12-09 23:40 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-09 23:54 . 2009-12-01 00:19 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-09 23:53 . 2009-12-09 23:52 -------- d-----w- c:\program files\Roxio
2009-12-09 23:52 . 2009-12-09 23:52 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-09 23:52 . 2009-12-09 23:44 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-09 23:40 . 2009-12-02 20:38 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-12-09 23:40 . 2009-12-09 23:40 -------- d-----w- c:\programdata\Research In Motion
2009-12-09 09:00 . 2010-01-26 10:25 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100125.051\CCERASER.DLL
2009-12-08 00:55 . 2009-12-08 00:55 -------- d-----w- c:\program files\Hp
2009-12-07 15:43 . 2009-12-07 15:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-07 15:42 . 2009-12-07 15:42 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-12-07 01:12 . 2009-12-07 01:12 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\OpenOffice.org
2009-12-07 00:53 . 2009-12-07 00:53 -------- d-----w- c:\program files\JRE
2009-12-07 00:53 . 2009-12-07 00:52 -------- d-----w- c:\program files\OpenOffice.org 3
2009-12-05 04:23 . 2009-12-05 04:23 499712 ----a-w- c:\programdata\BOINC\projects\szdg.lpds.sztaki.hu_szdg\msvcp71.dll
2009-12-05 04:23 . 2009-12-05 04:23 348160 ----a-w- c:\programdata\BOINC\projects\szdg.lpds.sztaki.hu_szdg\msvcr71.dll
2009-12-04 19:38 . 2009-12-04 19:38 -------- d-----w- c:\program files\Tweet Play List
2009-12-03 23:58 . 2009-11-30 23:36 -------- d-----w- c:\program files\CONEXANT
2009-12-03 20:57 . 2009-12-03 20:57 -------- d-----w- c:\users\Kate the Great\AppData\Roaming\DivX
2009-12-03 19:42 . 2009-12-03 19:42 89962 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\Uninstall.exe
2009-12-02 20:38 . 2009-12-02 20:38 -------- d-----w- c:\program files\Research In Motion
2009-12-02 20:05 . 2009-12-02 19:50 20190183 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP1_3.12_windows_intelx86.exe
2009-12-02 20:05 . 2009-12-02 19:50 19724316 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP1_3.12_graphics_windows_intelx86.exe
2009-12-02 01:09 . 2009-12-01 01:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-01 13:02 . 2009-12-01 13:02 -------- d-----w- c:\programdata\Symantec
2009-12-01 03:28 . 2009-12-01 00:15 -------- d-----w- c:\program files\BOINC
.

((((((((((((((((((((((((((((( SnapShot@2010-01-24_22.43.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-01-26 01:44 37784 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-01-26 01:44 74182 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-30 22:59 . 2010-01-25 15:54 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-30 22:59 . 2010-01-24 03:22 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-30 22:59 . 2010-01-25 15:54 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-30 22:59 . 2010-01-24 03:22 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-30 22:59 . 2010-01-25 15:54 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-30 22:59 . 2010-01-24 03:22 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-06 03:24 . 2010-01-23 23:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-06 03:24 . 2010-01-26 02:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-06 03:24 . 2010-01-26 02:01 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-06 03:24 . 2010-01-23 23:36 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-06 03:24 . 2010-01-23 23:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-06 03:24 . 2010-01-26 02:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-06 03:24 . 2010-01-23 23:29 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-06 03:24 . 2010-01-26 01:41 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-06 03:24 . 2010-01-23 23:29 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-06 03:24 . 2010-01-26 01:41 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-06 03:24 . 2010-01-26 01:41 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-06 03:24 . 2010-01-23 23:29 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-30 23:03 . 2010-01-26 01:44 5372 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3134423536-883019792-496773664-1000_UserData.bin
- 2010-01-23 23:29 . 2010-01-23 23:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-26 01:41 . 2010-01-26 01:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-01-23 23:29 . 2010-01-23 23:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-26 01:41 . 2010-01-26 01:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-01-26 02:05 600378 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-01-23 23:37 600378 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-01-23 23:37 105852 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-01-26 02:05 105852 c:\windows\System32\perfc009.dat
+ 2009-12-11 03:42 . 2010-01-25 15:54 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-12-11 03:42 . 2010-01-22 22:43 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-01-25 17:05 . 2010-01-25 17:05 3940352 c:\windows\Installer\409b0a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-09-01 499768]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-11-06 4793088]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-11-06 58112]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-16 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\users\Kate the Great\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Caledos Wallpaper (startup).lnk - c:\windows\Installer\{04FEBC27-D0C2-408C-818F-232367CBF48E}\_B4DEF8A0EADF742B6C2287.exe [2009-11-30 82726]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a6,78,55,eb,a5,98,ca,01

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0305020.00B\SymEFA.sys [30/11/2009 8:01 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0305020.00B\BHDrvx86.sys [30/11/2009 8:01 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0305020.00B\cchpx86.sys [30/11/2009 8:01 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100119.001\IDSvix86.sys [19/01/2010 9:28 PM 343088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [30/11/2009 8:01 PM 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [17/01/2010 4:38 PM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/12/2009 3:37 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [30/06/2008 5:52 AM 112128]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0305020.00B\symndisv.sys [30/11/2009 8:01 PM 48688]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\System32\drivers\vcsvad.sys [11/01/2010 7:32 PM 17792]
S2 gupdate1ca721c322e7448;Google Update Service (gupdate1ca721c322e7448);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 7:21 PM 133104]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\System32\drivers\ScreamingBAudio.sys [26/11/2009 12:06 AM 34384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 00:20]

2010-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 00:20]

2010-01-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-01-17 20:31]

2010-01-26 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2010-01-17 20:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\Kate the Great\AppData\Roaming\Mozilla\Firefox\Profiles\acsler5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 12:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4224)
c:\users\Kate the Great\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll
c:\windows\System32\NLSData0009.dll
.
Completion time: 2010-01-26 12:40:38
ComboFix-quarantined-files.txt 2010-01-26 17:40
ComboFix2.txt 2010-01-25 19:22
ComboFix3.txt 2010-01-24 22:50
ComboFix4.txt 2010-01-23 23:25

Pre-Run: 64,514,134,016 bytes free
Post-Run: 64,460,034,048 bytes free

- - End Of File - - BF489F62F2A044EEF5B977986E230332


Hopefully it's the correct one this time. I made sure to follow the instructions carefully.
Last edited by Clark76; 01-26-2010 at 04:18 PM. Reason: removed the italic tags
bizzare_czar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-26-2010, 04:22 PM   #10 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,918
OS: XP Pro, Windows 7, Ubuntu


Re: pages redirect to advertisements
Is Norton working properly for you? Please also check to see if you are getting redirected.

How is the system running in general?
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-26-2010, 05:27 PM   #11 (permalink)
Registered User
 
bizzare_czar's Avatar
 
Join Date: Jul 2009
Location: Kitchener, Ontario, Canada
Posts: 8
OS: Vista Bus. SP 2 & Ubuntu 9.10


Send a message via Yahoo to bizzare_czar
Re: pages redirect to advertisements
Norton seems to be working fine. It's performing all of its background tasks, although I haven't really consciously paid attention to its function.

The computer is running okay except for the perpetual slowness of the internet (which is likely a separate issue from the redirection).

I haven't been redirected yet today, so maybe the problem is gone.
bizzare_czar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-27-2010, 06:34 AM   #12 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,918
OS: XP Pro, Windows 7, Ubuntu


Re: pages redirect to advertisements
Your logs are clean!

As for the slow browser performance I would recommend visiting our forum related to the browser you are having issues with.

Go to -> Run -> copy/paste in the following single line command & click OK


ComboFix /Uninstall




This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.




Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-03-2010, 05:26 PM   #13 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,918
OS: XP Pro, Windows 7, Ubuntu


Re: pages redirect to advertisements
Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:33 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2010, Tech Support Forum
Auto Support Forum | Brew Plus | Freemason Hall | Outdoor BaseCamp
Home Tips Plus | Herbalist Hut | Father Adviser | Budget Clowns

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84