Help with pop-up/redirect problems, please

**tc03a** · 03-11-2008

I look through some old threads and looks like someone had the same problem. I tried to follow, but it didn't work out. I tried to run Fixwareout, but it didn't work out. So I ran HijackThis and following is the log I got. (I want to get rid of 3 of O17s)

--------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:52 AM, on 11/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\svchost.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\regedit.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\taskeng.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{011C9181-D808-4DE3-8C7D-42924697A1A8}: NameServer = 85.255.112.237;85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{0978B3E4-4746-4FEB-BE37-04B5D79DE624}: NameServer = 85.255.112.237;85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\..\{011C9181-D808-4DE3-8C7D-42924697A1A8}: NameServer = 85.255.112.237;85.255.112.123
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdsst.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8533 bytes

--------------------------------------------------------------------------

Thank you very much

**Neal** · 03-11-2008

Run hijackthis and click on "scan system only" button and put checks next to these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O17 - HKLM\System\CCS\Services\Tcpip\..\{011C9181-D808-4DE3-8C7D-42924697A1A8}: NameServer = 85.255.112.237;85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{0978B3E4-4746-4FEB-BE37-04B5D79DE624}: NameServer = 85.255.112.237;85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\..\{011C9181-D808-4DE3-8C7D-42924697A1A8}: NameServer = 85.255.112.237;85.255.112.123

Please close ALL browser windows (including this one).

Everything closed out but hijackthis and click on "fix checked"

Reboot your PC.

You must follow instructions exactly as given for this to work properly

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

**tc03a** · 04-11-2008

I really appreciate your help, Neal. Posted below is the entire contents of C:\Combofix.txt

-------------------------------------------------------------------------------------------------------

ComboFix 08-11-03.04 - Owner 2008-11-03 21:53:51.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1092 [GMT -6:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0. dat
c:\programdata\Microsoft\Network\Downloader\qmgr1. dat
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll
E:\Autorun.inf
F:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://moreadultvideo.net
.
((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-03 11:09 . 2008-11-03 11:34 <DIR> d-------- C:\fixwareout
2008-11-03 02:23 . 2008-11-03 02:23 <DIR> d-------- c:\users\Owner\AppData\Roaming\Malwarebytes
2008-11-03 02:23 . 2008-11-03 02:23 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-03 02:23 . 2008-11-03 02:23 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-03 02:23 . 2008-11-03 02:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 02:23 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-03 02:23 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-03 02:02 . 2008-11-03 02:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-02 23:54 . 2008-11-03 08:48 <DIR> d-------- c:\users\All Users\Lavasoft
2008-11-02 23:54 . 2008-11-03 08:48 <DIR> d-------- c:\programdata\Lavasoft
2008-11-01 17:50 . 2008-11-01 17:51 156,040,414 --a------ c:\windows\MEMORY.DMP
2008-10-31 21:53 . 2008-10-31 21:53 <DIR> d-------- c:\program files\Codec
2008-10-31 21:51 . 2008-10-31 21:51 <DIR> d-------- c:\program files\ffdshow
2008-10-31 21:51 . 2008-06-08 21:58 60,273 --a------ c:\windows\System32\pthreadGC2.dll
2008-10-31 21:51 . 2008-06-12 18:36 7,680 --a------ c:\windows\System32\ff_vfw.dll
2008-10-31 21:51 . 2007-07-10 16:10 547 --a------ c:\windows\System32\ff_vfw.dll.manifest
2008-10-31 21:48 . 2008-10-31 21:48 <DIR> d-------- c:\users\Owner\AppData\Roaming\GRETECH
2008-10-31 21:46 . 2008-10-31 21:46 <DIR> d-------- c:\program files\GRETECH
2008-10-31 21:42 . 2008-10-31 21:43 <DIR> d-------- c:\users\Owner\AppData\Roaming\vlc
2008-10-31 20:30 . 2008-10-31 20:30 <DIR> d-------- c:\users\All Users\Messenger Plus!
2008-10-31 20:30 . 2008-10-31 20:30 <DIR> d-------- c:\programdata\Messenger Plus!
2008-10-31 20:02 . 2008-10-31 20:05 <DIR> d-------- c:\users\Owner\AppData\Roaming\Winamp
2008-10-31 20:02 . 2008-10-31 20:03 <DIR> d-------- c:\program files\Winamp
2008-10-31 20:02 . 2007-03-07 17:51 129,784 --------- c:\windows\System32\pxafs.dll
2008-10-31 00:58 . 2008-10-31 00:58 <DIR> d-------- c:\program files\Messenger Plus! Live
2008-10-30 01:34 . 2008-10-30 01:34 <DIR> d-------- c:\program files\Gabest
2008-10-30 00:26 . 2008-10-30 00:26 <DIR> d-------- c:\program files\LSoft Technologies
2008-10-29 08:13 . 2008-11-03 11:34 <DIR> d-------- C:\QUARANTINE
2008-10-29 08:11 . 2008-10-29 08:11 <DIR> d-------- c:\users\All Users\McAfee
2008-10-29 08:11 . 2008-10-29 08:11 <DIR> d-------- c:\programdata\McAfee
2008-10-29 08:11 . 2008-10-29 08:11 <DIR> d-------- c:\program files\McAfee
2008-10-29 08:11 . 2008-10-29 08:11 <DIR> d-------- c:\program files\Common Files\McAfee
2008-10-29 08:11 . 2008-10-29 08:11 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-10-29 08:11 . 2008-09-29 07:07 340,592 --a------ c:\windows\System32\drivers\mfehidk.sys
2008-10-29 08:11 . 2008-09-29 07:07 90,360 --a------ c:\windows\System32\drivers\mfeavfk.sys
2008-10-29 08:11 . 2008-09-29 07:07 74,648 --a------ c:\windows\System32\drivers\mfeapfk.sys
2008-10-29 08:11 . 2008-09-29 07:07 67,904 --a------ c:\windows\System32\mfevtps.exe
2008-10-29 08:11 . 2008-09-29 07:07 64,432 --a------ c:\windows\System32\drivers\mferkdet.sys
2008-10-29 08:11 . 2008-09-29 07:07 62,704 --a------ c:\windows\System32\drivers\mfetdik.sys
2008-10-29 08:11 . 2008-09-29 07:07 42,424 --a------ c:\windows\System32\drivers\mfebopk.sys
2008-10-29 08:06 . 2008-10-29 08:06 <DIR> d-------- c:\program files\WiniGuard Software
2008-10-29 01:23 . 2008-10-29 01:23 <DIR> d-------- c:\program files\VideoLAN
2008-10-29 01:17 . 2008-10-29 01:17 <DIR> d-------- c:\users\All Users\Apple Computer
2008-10-29 01:17 . 2008-10-29 01:17 <DIR> d-------- c:\programdata\Apple Computer
2008-10-29 01:17 . 2008-10-29 01:18 <DIR> d-------- c:\program files\QuickTime
2008-10-29 01:17 . 2008-10-29 01:17 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-29 01:16 . 2008-10-29 01:16 <DIR> d-------- c:\users\All Users\Apple
2008-10-29 01:16 . 2008-10-29 01:16 <DIR> d-------- c:\programdata\Apple
2008-10-29 01:16 . 2008-10-29 01:16 <DIR> d-------- c:\program files\Apple Software Update
2008-10-28 00:27 . 2008-10-28 00:27 1,025 --a------ c:\windows\System32\sysprs7.tgz
2008-10-28 00:27 . 2008-10-28 00:27 1,025 --a------ c:\windows\System32\sysprs7.dll
2008-10-28 00:27 . 2008-10-28 00:27 1,025 --a------ c:\windows\System32\clauth2.dll
2008-10-28 00:27 . 2008-10-28 00:27 1,025 --a------ c:\windows\System32\clauth1.dll
2008-10-28 00:27 . 2008-10-29 08:13 219 --a------ c:\windows\System32\lsprst7.tgz
2008-10-28 00:27 . 2008-10-29 08:30 87 --a------ c:\windows\System32\ssprs.tgz
2008-10-27 23:19 . 2008-10-30 00:53 <DIR> d-a------ c:\users\All Users\TEMP
2008-10-27 23:19 . 2008-10-30 00:53 <DIR> d-a------ c:\programdata\TEMP
2008-10-26 20:51 . 2008-10-26 20:51 29,192 --a------ c:\windows\System32\drivers\ndisprot.sys
2008-10-25 22:32 . 2006-10-26 18:58 30,512 --a------ c:\windows\System32\mdimon.dll
2008-10-25 22:30 . 2008-10-25 22:30 <DIR> d-------- c:\program files\Microsoft Works
2008-10-25 22:29 . 2008-10-25 22:29 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-25 22:26 . 2008-10-26 02:03 <DIR> d-------- c:\users\All Users\Microsoft Help
2008-10-25 22:26 . 2008-10-26 02:03 <DIR> d-------- c:\programdata\Microsoft Help
2008-10-25 22:26 . 2008-10-25 22:26 <DIR> dr-h----- C:\MSOCache
2008-10-25 22:20 . 2008-02-18 16:29 96,256 --a------ c:\windows\System32\drivers\mcdbus.sys
2008-10-25 22:07 . 2008-10-25 22:07 <DIR> d-------- C:\Drivers
2008-10-25 15:13 . 2008-10-25 15:13 <DIR> d-------- c:\program files\BitComet
2008-10-25 15:13 . 2008-11-02 23:41 <DIR> d-------- C:\Downloads
2008-10-25 12:07 . 2008-10-25 13:38 1,129 -rah----- c:\windows\EPMBatch.ept
2008-10-25 11:25 . 2008-10-25 13:15 11 --a------ c:\windows\EuBcd.ini
2008-10-25 11:14 . 2008-10-25 11:14 <DIR> d-------- C:\CPM
2008-10-25 11:07 . 2008-10-25 11:07 <DIR> d-------- c:\users\Owner\AppData\Roaming\Future Systems Solutions
2008-10-25 11:07 . 2008-10-25 11:07 <DIR> d-------- c:\users\All Users\Future Systems Solutions
2008-10-25 11:07 . 2008-10-25 11:07 <DIR> d-------- c:\programdata\Future Systems Solutions
2008-10-25 10:58 . 2008-06-25 06:14 4,244,744 --a------ c:\windows\System32\qtp-mt334.dll
2008-10-25 10:58 . 2008-06-25 06:14 247,560 --a------ c:\windows\System32\prgiso.dll
2008-10-25 10:58 . 2008-06-25 06:14 13,576 --a------ c:\windows\System32\wnaspi32.dll
2008-10-24 12:44 . 2008-10-24 12:44 <DIR> d-------- c:\windows\PCHEALTH
2008-10-24 12:41 . 2008-10-24 12:41 <DIR> d-------- c:\users\All Users\WLInstaller
2008-10-24 12:41 . 2008-10-24 12:41 <DIR> d-------- c:\programdata\WLInstaller
2008-10-24 12:40 . 2008-11-03 00:07 <DIR> d-------- c:\users\Owner\AppData\Roaming\Skype
2008-10-24 12:33 . 2008-10-24 12:33 <DIR> d-------- c:\windows\System32\Macromed
2008-10-24 12:32 . 2008-10-24 12:32 <DIR> d-------- c:\users\All Users\Skype
2008-10-24 12:32 . 2008-10-24 12:32 <DIR> d-------- c:\programdata\Skype
2008-10-24 12:32 . 2008-10-24 12:32 <DIR> d-------- c:\program files\Skype
2008-10-24 12:32 . 2008-10-24 12:32 <DIR> d-------- c:\program files\Common Files\Skype
2008-10-24 12:31 . 2008-10-24 12:45 <DIR> d-------- c:\program files\Windows Live
2008-10-24 12:31 . 2008-10-24 12:44 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-10-22 09:22 . 2008-10-22 09:22 <DIR> d-------- c:\windows\System32\OEM
2008-10-22 09:22 . 2008-10-22 08:29 <DIR> d-------- c:\windows\Panther
2008-10-22 09:22 . 2008-10-22 09:22 <DIR> d--hs---- C:\Boot
2008-10-22 09:22 . 2008-01-20 20:24 333,203 -rahs---- C:\bootmgr
2008-10-22 09:22 . 2008-10-22 09:22 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-10-22 09:22 . 2008-02-14 11:44 24 -rah----- c:\windows\dell_version
2008-10-22 08:30 . 2008-10-25 22:32 <DIR> d-------- c:\windows\Debug
2008-10-22 07:34 . 2008-10-22 07:34 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_ 00.Wdf
2008-10-22 07:23 . 2008-10-22 07:23 16,058 --a------ c:\windows\System32\results.xml
2008-10-22 07:14 . 2008-07-15 19:32 2,048 --a------ c:\windows\System32\tzres.dll
2008-10-22 07:05 . 2008-10-22 07:05 <DIR> d-------- c:\program files\DellTPad
2008-10-22 07:05 . 2008-06-25 19:45 12,240,896 --a------ c:\windows\System32\NlsLexicons0007.dll
2008-10-22 07:05 . 2008-06-25 19:45 2,644,480 --a------ c:\windows\System32\NlsLexicons0009.dll
2008-10-22 07:05 . 2008-06-25 21:29 801,280 --a------ c:\windows\System32\NaturalLanguage6.dll
2008-10-22 07:05 . 2008-08-05 03:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-22 07:05 . 2008-08-05 03:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-22 07:05 . 2008-08-05 03:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-22 07:05 . 2008-08-05 03:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-22 07:05 . 2008-08-05 03:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-22 07:05 . 2008-04-22 22:41 57,856 --a------ c:\windows\System32\MSDvbNP.ax
2008-10-22 07:05 . 2008-10-22 07:05 0 --ah----- c:\windows\System32\drivers\Msft_Kernel_Apfiltr_01 005.Wdf
2008-10-22 07:04 . 2006-11-02 07:09 1,419,232 --a------ c:\windows\System32\WdfCoInstaller01005.dll
2008-10-22 07:04 . 2007-06-25 17:53 155,136 --a------ c:\windows\System32\drivers\Apfiltr.sys
2008-10-22 07:04 . 2007-06-25 18:51 100,418 --a------ c:\windows\System32\Vxdif.dll
2008-10-22 06:58 . 2008-09-17 23:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-22 06:58 . 2008-09-17 23:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-22 06:56 . 2007-04-13 14:37 3,293,184 --a------ c:\windows\System32\igfxress.dll
2008-10-22 06:53 . 2008-10-22 06:53 <DIR> d-------- c:\program files\Marvell
2008-10-22 06:52 . 2008-10-22 06:52 <DIR> d-------- c:\users\Owner\AppData\Roaming\TMP
2008-10-22 06:51 . 2008-10-22 06:51 <DIR> d-------- c:\program files\Cisco
2008-10-22 06:50 . 2008-10-22 06:50 744,740 --a------ c:\windows\System32\oem4.inf
2008-10-22 06:49 . 2008-10-22 06:49 <DIR> d-------- c:\users\Owner\AppData\Roaming\InstallShield
2008-10-22 06:48 . 2008-10-22 06:48 <DIR> d-------- c:\program files\CONEXANT
2008-10-22 06:47 . 2006-11-02 17:43 986,624 --a------ c:\windows\System32\drivers\HSX_DPV.sys
2008-10-22 06:47 . 2006-11-02 17:42 659,968 --a------ c:\windows\System32\drivers\HSX_CNXT.sys
2008-10-22 06:47 . 2006-08-04 15:39 386,560 --a------ c:\windows\System32\drivers\XAudio.exe
2008-10-22 06:47 . 2006-11-02 17:42 206,848 --a------ c:\windows\System32\drivers\HSXHWAZL.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-10-22 13:19 --------- d-----w c:\program files\Windows Mail
2008-09-29 13:07 19,480 ----a-w c:\windows\System32\MFEOtlk.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-16 06:14 524,288 ----a-w c:\windows\System32\DivXsm.exe
2008-09-16 06:14 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-09-16 06:12 81,920 ----a-w c:\windows\System32\dpl100.dll
2008-09-16 06:11 683,520 ----a-w c:\windows\System32\divx.dll
2008-08-22 10:08 878,592 ----a-w c:\windows\System32\wininet.dll
2008-08-22 10:07 43,008 ----a-w c:\windows\System32\licmgr10.dll
2008-08-22 10:07 18,944 ----a-w c:\windows\System32\corpol.dll
2008-08-22 10:06 72,704 ----a-w c:\windows\System32\admparse.dll
2008-08-22 10:06 71,680 ----a-w c:\windows\System32\iesetup.dll
2008-08-22 10:06 66,560 ----a-w c:\windows\System32\wextract.exe
2008-08-22 10:06 129,024 ----a-w c:\windows\System32\ieUnatt.exe
2008-08-22 10:06 110,080 ----a-w c:\windows\System32\PDMSetup.exe
2008-08-22 10:06 103,936 ----a-w c:\windows\System32\SetDepNx.exe
2008-08-22 10:06 103,424 ----a-w c:\windows\System32\SetIEInstalledDate.exe
2008-08-22 10:05 35,840 ----a-w c:\windows\System32\imgutil.dll
2008-08-22 10:05 168,960 ----a-w c:\windows\System32\iexpress.exe
2008-08-22 10:04 48,640 ----a-w c:\windows\System32\PrivacIE.dll
2008-08-22 10:04 48,128 ----a-w c:\windows\System32\mshtmler.dll
2008-08-22 10:04 45,568 ----a-w c:\windows\System32\mshta.exe
2008-08-22 09:57 156,160 ----a-w c:\windows\System32\msls31.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-13 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-13 154136]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-12-13 133656]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{18D496FA-4B26-4B37-BE57-1A93242AE383}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6E481AAB-601A-42D0-B81F-8DFE91C854C2}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{2B45D806-C1C5-4B7A-9A78-7F494CA9F3F5}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{55B93232-FDA0-4C18-804A-DAEA564B8DA2}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{2413E2DE-60FD-4D5A-BF59-473FB21D897A}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"TCP Query User{AD94D078-3CFD-479C-A825-F81A5F8D7DD8}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{882CA06C-A71D-4F52-8D5D-92B9E3F3EFB7}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-03-26 111104]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x86.sys [2007-12-06 298496]
S2 Windows Tribute Service;Windows Tribute Service;c:\windows\system32\kdsst.exe [2008-01-20 69120]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [2008-10-26 29192]
S4 ErrDev;Microsoft Hardware Error Device Driver;c:\windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR;c:\windows\system32\drivers\megasr.s ys [2008-01-20 386616]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{65fc23f8-a335-11dd-9215-001d0941b998}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL g:\resycled\boot.com e:
\shell\Open\command - g:\resycled\boot.com e:

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b8f02242-a2cc-11dd-be35-001d0941b998}]
\shell\AutoRun\command - J:\laucher.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Pro files\ankds7mv.default\
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 21:58:45
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-11-03 21:59:53
ComboFix-quarantined-files.txt 2008-11-04 03:59:30

Pre-Run: 27,110,494,208 bytes free
Post-Run: 27,271,409,664 bytes free

248 --- E O F --- 2008-10-26 08:03:41

**Neal** · 06-11-2008

If you have this in add/remove program, please uninstall:

WiniGuard Software

If not there delete the folder:

c:\program files\WiniGuard Software

That is a rogue program you do not want.

How are things now?

**tc03a** · 11-11-2008

My gf have taken it back before I got your reply. Though, since she doesn't have a clue about computer stuff, I did try using Teamviewer and delete the folder afterward (winiguard was not present in add/remove program).

I guess I will have to wait until I see her again ... like ... next month since we live in different state. If the problem still persist, I will come back and seek your help, Neal. Your help is much appreciated!!!

**Neal** · 11-11-2008

okey dokey then good luck and let us know if further problems occur.

Help with pop-up/redirect problems, please

Help with pop-up/redirect problems, please

Similar Threads

Redirect

redirect

redirect

page redirect & loading problems

Could someone please help with s-redirect?