Mr.C / Want to see if I have an infection on Desktop now.

[SickAndTired]

Thanks for helping on laptop ... since I cannot continue on that right now I would like to work with you on the desktop, if that is okay.

My issues are the same: Getting redirects (attempted redirects - FF is blocking them).

I have scanned computer with MSE and Malwarebytes Pro (which trial ran out day before yeterday) - no infections.

Thanks.

[MrCharlie]

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

[SickAndTired]

DDS and Attach Files attached.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

RogueKiller Scan Results:

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Safe mode with network support

User : Administrator [Admin rights]

Mode : Scan -- Date : 11/12/2012 17:45:46

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Volume0 +++++

--- User ---

[MBR] e86ddf9a13765dca0a805127dcd61212

[bSP] db63615aa66f3fdfa2e467ad7beb91fe : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 9012465 | Size: 949458 Mo

1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 4400 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive1: HP Photosmart C8100 USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1]_S_11122012_02d1745.txt >>

RKreport[1]_S_11122012_02d1745.txt

dds.txt

attach.txt

[MrCharlie]

Started in : Safe mode with network support

Why are you using safe mode?

You have a lot of system restore going back to August

You say you're being redirected, which browsers are effected?

Where do they direct you too?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please do this:

Download MbrScan from the link below:

http://eric71.geekst...ols/MbrScan.exe

Double click on it to run it > Click Scan and then Report

Copy back the report here.

Last............

Please create a new system restore point before running Malwarebytes Anti-Malware.

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

[SickAndTired]

I only ran the scan in safe mode.

As far as system restore - I am not making them so have no idea what is. I think Software Distribution Center has to do with Microsoft Updates doesn't it? Why in the world would it make so many restore points?

FF "attempts" to redirect. Exact same thing as on the laptop. I get to the page I searched for but FF tells me it blocked a redirect. I cannot tell when an attempt has been made in other browsers because they don't warn you. I end up on the page I want however.

Maybe I am getting redirects that are NOT malicious?

I cannot do a system restore on this computer. It has not worked since removing Norton 360. Can I run this next scan without worry since I cannot restore?

[MrCharlie]

Yes you can run the scans, MrC

[SickAndTired]

Forgot this result, sorry.

MBRScan v1.1.1

OS			 : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR	  : x86 Family 15 Model 6 Stepping 2, GenuineIntel
BOOT		   : Normal Boot
DATE		   : 2012/11/12 (ISO 8601) at 20:32:49
________________________________________________________________________________

DISK		   : Device\Harddisk0\DR0 __Intel Raid 0 Volume (1.0.)
BUS_TYPE	   : (0x03)  P-ATA
USE_PIO	    : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0    931.5 Go  [Fixed] ==> Unknown MBR Code .

MBR_MD5   : E86DDF9A13765DCA0A805127DCD61212
MBR_SHA1  : 2779019DB8DA65AD0ABAB00D5838BAA35ED4857C

Device\Harddisk0\Partition1    927.2 Go      0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2    4.30 Go      0x0B FAT32 [CHS]
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : C:\WINDOWS\System32\Drivers\dump_iaStor.sys => Invisible on the disk
ADDRESS : 0x9DE9D000
SIZE    : 852.0 Ko

SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 FF BE 00 02 8E D7 BC 00 7A BB A0 07 8B CE 8E   3.¾...×¼.z»...Î.
0x00000010   DB 8E C3 F3 A4 EA 5F 00 A0 07 10 00 01 00 00 7A   Û.Ãó¤ê_........z
0x00000020   00 00 00 00 00 00 00 00 00 00 8B F5 B1 04 38 64   ...........õ±.8d
0x00000030   04 74 0D 38 44 04 74 08 83 C6 10 E2 F1 E9 C6 00   .t.8D.t..Æ.âñéÆ.
0x00000040   BB 0E 00 FF 30 FF 31 8F 00 8F 01 80 EB 02 73 F3   »...0.1.....ë.só
0x00000050   C3 AC 0A C0 74 FA B4 0E BB 07 00 CD 10 EB F2 BD   ì.Àtú´.»..Í.ëò½
0x00000060   BE 01 BF CE 01 B8 0B 12 E8 BF FF C6 05 80 C6 45   ¾.¿Î.¸..è¿.Æ..ÆE
0x00000070   04 0B 8B FD B8 0C 07 E8 B0 FF C6 05 00 C6 45 14   ...ý¸..è°.Æ..ÆE.
0x00000080   12 C6 45 10 00 F6 06 5C 01 04 75 53 F6 06 5C 01   .ÆE..ö.\..uSö.\.
0x00000090   02 75 58 B4 11 CD 16 75 33 8A 16 5B 01 0A D2 74   .uX´.Í.u3..[..Òt
0x000000A0   4A 8B 36 63 01 E8 A9 FF B1 01 B8 30 09 02 C2 CD   J.6c.è©.±.¸0..ÂÍ
0x000000B0   10 FE CA 78 30 36 8A 0E 6C 04 80 C1 12 B4 11 CD   .þÊx06..l..Á.´.Í
0x000000C0   16 75 09 36 3A 0E 6C 04 75 F3 EB DC BE 57 01 E8   .u.6:.l.uóëܾW.è
0x000000D0   7F FF B4 10 CD 16 3C 72 74 05 80 FC 85 75 0C C6   ..´.Í.<rt..ü.u.Æ
0x000000E0   45 10 80 EB 10 BE 57 01 E8 66 FF C6 05 80 F6 06   E..ë.¾W.èf.Æ..ö.
0x000000F0   5C 01 10 74 04 C6 45 14 0B F6 06 5C 01 40 74 06   \..t.ÆE..ö.\.@t.
0x00000100   BE CE 01 E8 3A FF B1 04 8B FD 80 3D 80 74 12 83   ¾Î.è:.±..ý.=.t..
0x00000110   C7 10 E2 F6 8B 36 5F 01 E8 36 FF B4 00 CD 16 CD   Ç.âö.6_.è6.´.Í.Í
0x00000120   18 80 26 5C 01 F9 B8 00 43 B2 80 BE 1A 00 CD 13   ..&\.ù¸.C².¾..Í.
0x00000130   72 E2 66 8B 5D 08 66 89 1E 22 00 C6 06 1F 00 7C   râf.].f..".Æ...|
0x00000140   B4 42 CD 13 72 CE 81 3E FE 03 55 AA 8B 36 5D 01   ´BÍ.rÎ.>þ.Uª.6].
0x00000150   75 C6 EA 00 7C 00 00 20 0D 0A 00 02 10 65 01 72   uÆê.|.. .....e.r
0x00000160   01 7E 01 80 01 4D 69 73 73 69 6E 67 20 4F 53 0D   .~...Missing OS.
0x00000170   0A 00 4D 42 52 20 45 72 72 6F 72 0D 0A 00 20 00   ..MBR Error... .
0x00000180   0D 0A 50 72 65 73 73 20 46 31 31 20 74 6F 20 73   ..Press F11 to s
0x00000190   74 61 72 74 20 72 65 63 6F 76 65 72 79 20 00 00   tart recovery ..
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 5B 01 AA ED AA ED 00 00 80 00   ......[.ªíªí....
0x000001C0   81 31 07 FE FF FF F1 84 89 00 0F 96 E6 73 00 01   .1.þ..ñ.....æs..
0x000001D0   01 00 0B FE BF 30 3F 00 00 00 B2 84 89 00 00 00   ...þ¿0?...².....
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

[SickAndTired]

Scan said no malware found!!

Mbar-log file below, system log file attatched.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.13.01

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

~XXXX~ :: XXXXX [administrator]

11/12/2012 9:04:33 PM

mbar-log-2012-11-12 (21-04-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 27904

Time elapsed: 21 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

system-log.txt

[MrCharlie]

It's clean, we can run ComboFix to check for anyother malware:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[SickAndTired]

Here's ComboFix.txt (NOTE: I replaced my user name with XXXX)

ComboFix 12-11-12.03 - ~XXXX~ 11/12/2012 22:16:37.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2496 [GMT -5:00]

Running from: c:\documents and settings\~XXXX~\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\~XXXX~\My Documents\Downloads\PowerPointViewer.exe

c:\documents and settings\~XXXX~\WINDOWS

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\SET4C6.tmp

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

c:\windows\Update.bat

.

.

((((((((((((((((((((((((( Files Created from 2012-10-13 to 2012-11-13 )))))))))))))))))))))))))))))))

.

.

2012-11-13 03:09 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7FFDA52C-890E-4765-B900-858D0606FCB4}\mpengine.dll

2012-11-13 01:41 . 2012-11-13 01:41 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-11-12 22:44 . 2012-11-12 22:44 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2012-11-11 14:52 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-11-06 17:59 . 2012-11-06 17:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2012-11-01 22:47 . 2012-11-01 22:47 -------- d-----w- c:\documents and settings\~XXXX~\Local Settings\Application Data\Sun

2012-11-01 22:47 . 2012-11-01 22:47 -------- d-----w- c:\program files\Common Files\Java

2012-11-01 22:46 . 2012-11-01 22:46 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-11-01 22:46 . 2012-11-01 22:46 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-10-27 02:46 . 2012-10-27 02:46 -------- d-----w- c:\documents and settings\~XXXX~\Application Data\Malwarebytes

2012-10-27 02:45 . 2012-10-27 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-10-27 02:45 . 2012-10-27 02:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-10-27 02:45 . 2012-09-29 23:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-26 18:08 . 2011-01-25 15:28 26216 ----a-r- c:\windows\system32\nvhdap32.dll

2012-10-26 18:08 . 2011-01-25 15:28 118248 ----a-r- c:\windows\system32\drivers\nvhda32.sys

2012-10-26 18:08 . 2011-01-25 15:28 837224 ----a-r- c:\windows\system32\nvhdagenco322040.dll

2012-10-26 18:07 . 2012-11-08 17:16 292700 ----a-w- c:\windows\system32\nvdrsdb1.bin

2012-10-26 18:07 . 2012-11-08 17:16 1 ----a-w- c:\windows\system32\nvdrssel.bin

2012-10-26 18:07 . 2012-11-08 17:15 292700 ----a-w- c:\windows\system32\nvdrsdb0.bin

2012-10-26 18:07 . 2011-03-01 04:35 941160 ----a-r- c:\windows\system32\nvdispco322090.dll

2012-10-26 18:07 . 2011-03-01 04:35 837736 ----a-r- c:\windows\system32\nvgenco322040.dll

2012-10-26 18:06 . 2011-03-01 04:35 2294442 ----a-w- c:\windows\system32\nvdata.bin

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-01 22:46 . 2012-07-06 13:57 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-11-01 22:46 . 2010-08-25 14:48 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-10-26 19:03 . 2012-08-09 00:38 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-10-26 19:03 . 2012-08-09 00:38 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-05 14:49 . 2010-10-04 23:56 230840 ----a-r- c:\windows\system32\cpnprt2.cid

2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2012-08-28 15:14 . 2006-06-17 09:23 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14 . 2006-06-17 09:23 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14 . 2006-06-17 09:23 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07 . 2006-06-17 09:23 385024 ----a-w- c:\windows\system32\html.iec

2012-08-24 13:53 . 2006-06-17 09:23 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-08-21 13:33 . 2006-06-17 09:23 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-08-21 12:58 . 2004-08-04 05:59 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-07-02 18:43 . 2012-07-02 18:43 10974280 ----a-w- c:\program files\Common Files\lpuninstall.exe

2012-11-01 16:36 . 2012-11-01 16:35 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

"CalendarPal"="c:\program files\CalendarPal\CalendarPal.exe" [2008-05-21 1122304]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

"KGShareApp"="c:\program files\Kodak\KODAK Share Button App\KGShare_App.exe" [2012-06-26 394752]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-03-09 139264]

"ledpointer"="CNYHKey.exe" [2004-03-03 5576704]

"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480]

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]

"DT GWY"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-25 81920]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-01-15 8744960]

"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"CHotkey"="mHotkey.exe" [2004-09-21 550400]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]

"KodakShareButtonApp"="c:\program files\Kodak\KODAK Share Button App\Listener.exe" [2012-06-26 108032]

"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]

"Z1"="c:\documents and settings\~Debb~\Desktop\mbar-1.01.0.1009\mbar\mbar.exe" [2012-11-08 1341800]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2012-7-2 10974280]

Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2012-7-2 10974280]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-9-25 813584]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\Bin\\ImpCnt.exe"=

"c:\\Program Files\\IncrediMail\\Bin\\ImLc.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\IncrediMail\\Bin\\ImPackr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:Bonjour Port 5353

.

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/26/2012 9:45 PM 399432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/26/2012 9:45 PM 676936]

R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [8/23/2010 10:00 PM 90112]

R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [11/12/2012 8:41 PM 35144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/26/2012 9:45 PM 22856]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMCHAMELEON

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-13 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-09 19:03]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: LastPass - file://c:\documents and settings\~XXXX~\Local Settings\Application Data\LastPass\context.html?cmd=lastpass

IE: LastPass Fill Forms - file://c:\documents and settings\~XXXX~\Local Settings\Application Data\LastPass\context.html?cmd=fillforms

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

TCP: DhcpNameServer = 97.64.209.36 97.64.168.13

FF - ProfilePath - c:\documents and settings\~XXXX~\Application Data\Mozilla\Firefox\Profiles\bje13j1z.default\

FF - prefs.js: browser.startup.homepage - hxxp://thundercloud.net/infoave/premium/2012/newsletter/omega/

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SysTrayApp - c:\program files\IDT\WDM\sttray.exe

HKLM-Run-hpqSRMon - (no file)

AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-12 22:23

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(708)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

.

Completion time: 2012-11-12 22:24:57

ComboFix-quarantined-files.txt 2012-11-13 03:24

.

Pre-Run: 943,022,694,400 bytes free

Post-Run: 943,218,434,048 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 0006F32D45DBE1F27F5E1F47BC5C670F

[MrCharlie]

Please download AdwCleaner from here and save it on your Desktop.

1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
   
2. Now click on the Search tab.
   
3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

[SickAndTired]

# AdwCleaner v2.007 - Logfile created 11/12/2012 at 23:08:13

# Updated 06/11/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : ~XXXX~ - XXXXX

# Boot Mode : Normal

# Running from : C:\Documents and Settings\~XXXX~\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\~XXXX~\Local Settings\Application Data\Conduit

Folder Found : C:\Program Files\Conduit

***** [Registry] *****

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\IM

Key Found : HKCU\Software\ImInstaller

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}

Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl

Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1

Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary

Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1

Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2438727

Key Found : HKLM\Software\Conduit

Key Found : HKLM\Software\ImInstaller

Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Found : HKLM\Software\Viewpoint

Key Found : HKU\S-1-5-21-1500982738-3618749481-1802049845-1007\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

Key Found : HKU\S-1-5-21-1500982738-3618749481-1802049845-1007\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default

File : C:\Documents and Settings\~XXXX~\Application Data\Mozilla\Firefox\Profiles\bje13j1z.default\prefs.js

Found : user_pref("browser.search.defaultenginename", "MyStart Search");

*************************

AdwCleaner[R1].txt - [2512 octets] - [12/11/2012 23:08:13]

########## EOF - C:\AdwCleaner[R1].txt - [2572 octets] ##########

[SickAndTired]

Forgot ... it says "waiting for an action" what should I do with it now?

Thanks

[MrCharlie]

Some adware found....lets clear it out.....

1. Please re-run AdwCleaner
   
2. Click on Delete button.
   
3. Confirm each time with OK if asked.
   
4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
   

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

MrC

[SickAndTired]

I reran AdwCleaner. When the scan finished and I clicked Delete I got a Data Execution Prevention window, then after closing that I got another window that said Windows Explorer encountered a problem and needs to close. After I closed that window AdwCleaner looked like it continued anyway and then said to reboot. I let it reboot and here is the txt results.

# AdwCleaner v2.007 - Logfile created 11/13/2012 at 11:06:02

# Updated 06/11/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : ~XXXX~ - XXXXX

# Boot Mode : Normal

# Running from : C:\Documents and Settings\~XXXX~\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\~XXXX~\Local Settings\Application Data\Conduit

Folder Deleted : C:\Program Files\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\IM

Key Deleted : HKCU\Software\ImInstaller

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2438727

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\ImInstaller

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\Software\Viewpoint

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default

File : C:\Documents and Settings\~XXXX~\Application Data\Mozilla\Firefox\Profiles\bje13j1z.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "MyStart Search");

*************************

AdwCleaner[R1].txt - [2641 octets] - [12/11/2012 23:08:13]

AdwCleaner[R2].txt - [2760 octets] - [13/11/2012 11:05:25]

AdwCleaner[s1].txt - [367 octets] - [13/11/2012 10:53:43]

AdwCleaner[s2].txt - [2429 octets] - [13/11/2012 11:06:02]

########## EOF - C:\AdwCleaner[s2].txt - [2489 octets] ##########

[MrCharlie]

Looks like you're clean, how is it? any difference?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please Post the contents of that document.
  
• Do Not Attach It!!!
  

MrC

[SickAndTired]

I still get occassional redirect attempts.

Security Check results:

Results of screen317's Security Check version 0.99.54

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 7 Update 9

Adobe Flash Player 11.4.402.287

Adobe Reader X (10.1.4)

Mozilla Firefox (16.0.2)

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 8%

````````````````````End of Log``````````````````````

[SickAndTired]

I'll check back in tomorrow Mr.C. Thanks.

[MrCharlie]

I still get occassional redirect attempts.

I wish you would reset your router to eliminate it from the problem.

The system check looks OK, MrC

[SickAndTired]

Okay Mr.C ... since I will be on my own for this one, and "I know not what I do", lol, I need to do some research on how to go about getting this done; the right way. It may take me a day or two depending on "when I can get access to reset the laptop".

I am not looking forward to this so I hope it is easier to do than my worried old mind is leading me to believe it will be.

I'll get back with you as soon as possible.

[MrCharlie]

Instead and resetting the router, can you by pass the router and connect the computer directly to you modem?

Have you ever lost power in the house?

If so, when it came back on did you computer work and were you able to get back on line?

MrC

[SickAndTired]

Hello. I reset the router. THAT was not quite as terrible as I thought it would be, lol ! I also reset ALL router info, passkeys etc. However, I am still getting redirect attempts.

Have you ever lost power in the house?

If so, when it came back on did you computer work and were you able to get back on line?

Yes, I have lost power numerous times. I am rual and it is a normal occurance around here. When power comes back on router alaways worked and always had a connection so long as the cable co was not down.

Sorry it took so long to get back on here ... cable was down nearly all day yesterday.

[MrCharlie]

The reason I asked is cutting the power to the router has the same effect as resetting it.

Where are you being redirected to and with what browser?

MrC

[SickAndTired]

No, loosing power doesn't reset router to default thanks goodness!

Using FF and it is just redirect "attempts", FF is blocking them.

As I said before, I can never find out where it is attempting to redirect to because it lands me on the page I should be on ... at least so far as I can tell it looks right. But on some pages FF says it blocks redirect attempts and even when that option was turned off it still looked as if it was taking me to the correct page (just showing a lot of different activity in the area where it shows what the page is doing, bottom left of browser) so I don't know if the whole site was fradulant or if it is simply nothing to worry about at all. I am very confused by all this. Sorry if I am not explaining any of this efficiently.

[MrCharlie]

FireFox is blocking redirect attempts

https://support.mozi...uestions/874903

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Does it happen when you run FF in safe mode?

http://support.mozil...to-fix-problems

~~~~~~~~~~~~~~~~~~~

Next......

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  
• Post the contents of JRT.txt into your next message.
  

~~~~~~~~~~~~~~~~~

Last...............

Please do this............

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassoci...T-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC (I will be away from the forum from about 10am to 3-4pm)