Firefox Redirects to Bogus Site when Using Google Search

UncleSlam · #1 9th Mar 2009, 10:13

Hi Everyone,

I am getting redirected to sites such as clickfraudmanager.com about every third search result clicked when I do a google search. This is only happening with firefox and not in IE. I already unistalled/reinstalled to latest firefox. Tried to fix it with SDfix.exe and fixwareout.exe, no luck though.

I had a few nasty trojans I seemed to have cleaned up recently - they no longer show up in Malwarebytes, Spybot S&D or AVG scans. This is the last thing (i hope) infecting my XP SP3 box.

Thanks for any suggestions,
Mark

**evilfantasy** · #2 9th Mar 2009, 10:24

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

UncleSlam · #3 9th Mar 2009, 13:06

Thanks for the response.

ComboFix 09-03-06.02 - Mark 2009-03-09 15:00:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1436 [GMT -5:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\init32.exe
c:\windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.
2009-03-09 11:44 . 2009-03-09 11:44 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-03-09 11:42 . 2009-03-09 11:42 <DIR> d-------- c:\windows\ERUNT
2009-03-09 11:29 . 2009-03-09 11:53 <DIR> d-------- C:\SDFix
2009-03-09 10:32 . 2009-03-09 10:38 <DIR> d-------- C:\fixwareout
2009-03-09 01:24 . 2009-03-09 01:24 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-09 00:45 . 2009-03-09 00:45 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-03-09 00:19 . 2009-03-09 00:20 <DIR> d-------- c:\documents and settings\Administrator.DELL_PC
2009-03-09 00:03 . 2009-03-09 00:03 <DIR> d-------- c:\program files\COMODO
2009-03-09 00:03 . 2009-03-09 00:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-03-09 00:03 . 2009-03-09 00:03 155,384 --a------ c:\windows\system32\guard32.dll
2009-03-09 00:03 . 2009-03-09 00:03 110,992 --a------ c:\windows\system32\drivers\cmdguard.sys
2009-03-09 00:03 . 2009-03-09 00:03 24,336 --a------ c:\windows\system32\drivers\cmdhlp.sys
2009-03-08 16:24 . 2004-08-03 19:56 24,576 --a------ c:\windows\system32\userinit.exe
2009-03-08 15:38 . 2004-08-03 19:56 24,576 --a------ c:\windows\system32\userinit(2).exe
2009-03-05 09:42 . 2009-03-05 09:42 <DIR> d-------- C:\My Music
2009-03-03 23:54 . 2009-03-08 23:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 23:54 . 2009-03-03 23:54 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes
2009-03-03 23:54 . 2009-03-03 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 23:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 23:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 15:00 . 2009-03-09 00:22 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-03 14:32 . 2007-09-07 17:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-03-03 14:32 . 2007-09-07 17:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Roxio
2009-03-03 14:32 . 2007-09-07 17:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-03-03 14:32 . 2007-09-07 17:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GTek
2009-03-03 14:32 . 2007-09-13 17:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AOL
2009-03-03 14:32 . 2009-03-03 14:55 <DIR> d-------- c:\documents and settings\Administrator
2009-02-21 19:41 . 2009-02-21 19:47 <DIR> d-------- c:\program files\GTA San Andreas
2009-02-21 19:20 . 2009-02-21 19:23 <DIR> d-------- c:\windows\NV2321292.TMP
2009-02-21 19:17 . 2009-02-21 19:17 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-02-21 19:16 . 2009-02-21 19:16 <DIR> d-------- c:\documents and settings\Mark\Application Data\SystemRequirementsLab
2009-02-13 12:26 . 2009-02-20 11:54 2,634 --a------ c:\windows\CDPlayer.ini
2009-02-12 16:54 . 2009-02-12 16:55 <DIR> d-------- c:\documents and settings\Mark\.SunDownloadManager
2009-02-12 15:45 . 2009-02-12 15:54 <DIR> d-------- c:\program files\mp3DirectCut
2009-02-10 16:18 . 2009-02-10 16:18 <DIR> d-------- c:\program files\QuickTime Alternative
2009-02-10 16:18 . 2009-02-10 16:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-10 16:18 . 2009-01-05 17:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-02-10 16:18 . 2009-01-05 17:18 57,344 --a------ c:\windows\system32\QuickTime.qts
2009-02-10 14:13 . 2009-02-10 14:13 <DIR> d-------- c:\program files\Ratajik Software
2009-02-10 12:22 . 2009-02-10 12:22 <DIR> d-------- c:\program files\MediaMonkey
2009-02-09 14:18 . 2009-02-09 14:18 401,408 --a------ c:\windows\system32\nvcuvid.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-09 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-09 14:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 06:24 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-09 06:23 --------- d-----w c:\program files\Java
2009-03-09 05:55 --------- d-----w c:\program files\Dell
2009-03-09 05:44 --------- d-----w c:\program files\MSECache
2009-03-09 02:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-05 14:36 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-03-05 14:36 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-02-22 00:21 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-22 00:21 --------- d-----w c:\program files\AGEIA Technologies
2009-02-22 00:06 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2009-02-08 15:53 --------- d-----w c:\documents and settings\Mark\Application Data\ZoomBrowser EX
2009-02-08 15:52 --------- d-----w c:\documents and settings\Mark\Application Data\CameraWindowDC
2009-02-05 03:47 --------- d-----w c:\documents and settings\Mark\Application Data\AdobeUM
2009-02-05 02:47 --------- d--h--w c:\documents and settings\Jessica\Application Data\GTek
2009-02-05 02:41 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-05 02:41 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-28 00:25 37,256 ----a-w c:\documents and settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
2009-01-28 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-01-20 00:41 --------- d-----w c:\program files\Steam
2009-01-17 03:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-17 00:24 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-12-26 06:08 453,152 ----a-w c:\windows\system32\nvudisp.exe
2008-12-24 03:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-08-06 14:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080620080 807\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-16 162584]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2006-10-03 221184]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-02-09 86016]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-07-16 138008]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-03-09 1851128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"PMX Daemon"="ICO.EXE" [2007-03-08 c:\windows\system32\ico.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2009-02-09 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-04 21:41 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ lsdelete
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\markmcgaa\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\markmcgaa\\counter-strike\\hl.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \SAGENT4.EXE"=
"c:\\Program Files\\Steam\\steamapps\\markmcgaa\\condition zero deleted scenes\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ratajik Software\\StationRipper\\StationRipperConsole.exe" =
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-28 325128]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-03-09 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-03-09 24336]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-28 298264]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxm ouse.sys [2007-09-13 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxu sblf.sys [2007-09-13 14336]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {FAA26872-BB40-4AB2-8A6D-A49183581AAA} - hxxp://wildmountain.dyndns.org:8080/user/TSBnwCam.CAB
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\jw0hkjhu.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 15:01:27
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\guard32.dll
.
Completion time: 2009-03-09 15:02:59
ComboFix-quarantined-files.txt 2009-03-09 20:02:56
ComboFix2.txt 2009-03-09 01:43:20
Pre-Run: 200,616,710,144 bytes free
Post-Run: 200,609,501,184 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
192 --- E O F --- 2009-02-26 07:33:35

**evilfantasy** · #4 9th Mar 2009, 13:27

Can you post the SDFix log also please. You can find it in C:\SDFix\Report.txt

UncleSlam · #5 9th Mar 2009, 17:01

Sure, here's the Sdfix log:

SDFix: Version 1.240
Run by Mark on Mon 03/09/2009 at 11:45 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :

Restoring Default Security Values
Restoring Default Hosts File
Rebooting

Checking Files :
No Trojan Files Found

Removing Temp Files
ADS Check :

Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 11:50:55
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Prog ram Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled: AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Prog ram Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled: AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1189204391\\EE\\AOLServiceHost.exe"="C :\\Program Files\\Common Files\\AOL\\1189204391\\EE\\AOLServiceHost.exe:*:E nabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\ \Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Ena bled:AOL"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam Client"
"C:\\Program Files\\Steam\\steamapps\\markmcgaa\\condition zero\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\markmcgaa\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\steamapps\\markmcgaa\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\markmcgaa\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\markmcgaa\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\markmcgaa\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Progra m Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:Re alPlayer"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drive rs\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\Steam\\steamapps\\markmcgaa\\condition zero deleted scenes\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\markmcgaa\\condition zero deleted scenes\\hl.exe:*:Enabled:Half-Life Launcher"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Ratajik Software\\StationRipper\\StationRipperConsole.exe" ="C:\\Program Files\\Ratajik Software\\StationRipper\\StationRipperConsole.exe: *:Enabled:StationRipperConsole"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :

Files with Hidden Attributes :
Wed 4 Aug 2004 60,416 A.SH. --- "C:\i386\msimn.exe"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 16 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 20 Aug 2005 4,348 A..H. --- "C:\Documents and Settings\Mark\My Documents\My Music\License Backup\drmv1key.bak"
Sat 20 Aug 2005 20 A..H. --- "C:\Documents and Settings\Mark\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 17 Dec 2004 312 A.SH. --- "C:\Documents and Settings\Mark\My Documents\My Music\License Backup\drmv2key.bak"
Tue 28 Feb 2006 26,112 A..H. --- "C:\Documents and Settings\Mark\My Documents\Docs\Work_Files\Lawson\prscrt01\~WRL0004 .tmp"
Wed 4 Feb 2009 8 A..H. --- "C:\Documents and Settings\Jessica\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp "
Wed 4 Feb 2009 8 A..H. --- "C:\Documents and Settings\Jessica\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp "
Wed 4 Feb 2009 8 A..H. --- "C:\Documents and Settings\Jessica\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp "
Wed 4 Feb 2009 8 A..H. --- "C:\Documents and Settings\Jessica\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp "
Thu 13 Sep 2007 8 A..H. --- "C:\Documents and Settings\Mark\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp "
Thu 13 Sep 2007 8 A..H. --- "C:\Documents and Settings\Mark\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp "
Thu 13 Sep 2007 8 A..H. --- "C:\Documents and Settings\Mark\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp "
Thu 13 Sep 2007 8 A..H. --- "C:\Documents and Settings\Mark\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp "
Thu 10 Jul 2003 114,688 A..H. --- "C:\Documents and Settings\Mark\My Documents\Docs\WebSites\Assets\EdMcGaa\NaturesWay\ OldNWy MAtl.doc\Copy of NatWy-03\~WRL4010.tmp"
Finished!

**evilfantasy** · #6 9th Mar 2009, 17:07

I'm still diagnosing, just bear with me.

Kind of a confusing log...

Scan Suspicious File(s)

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code:

c:\windows\system32\userinit(2).exe

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply.

Also please let me know how the computer is acting now.

UncleSlam · #7 9th Mar 2009, 17:08

Hold on, maybe Combofix fixed it. Firefox seems to be acting normal when doing google searches right now. I'll do some extensive surfing tonight and post how it goes.

UncleSlam · #8 9th Mar 2009, 17:17

Firefox is still working (I may have brought this machine back from the dead afterall!).
I did as you suggested anyways:
http://www.virustotal.com/analisis/0...6bce48cd819fa6

I really appreciate your help with this, and hope it keeps working for me.

**evilfantasy** · #9 9th Mar 2009, 17:25

OK I think everything looks OK except this one file we will take care of now.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:files
c:\windows\NV2321292.TMP

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

----------

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:

Delete:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt3 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

When finished exit out of OTMoveIt3

----------

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

How is everything now?

UncleSlam · #10 9th Mar 2009, 17:45

Did the OTmoveIt, I need to reboot (after this post), then will do as instructed in your last post.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\NV2321292.TMP moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mark\LOCALS~1\Temp\~DF428.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Mark\LOCALS~1\Temp\~DF43F.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_584.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03092009_194227