Pesky pop-ups and redirect (fe-search usually)

**JohnB151** · 06-09-2009 03:20 PM

Hi Danny,

One of the admins said that normally we do not help cleaning corporate/government/military computers as they have their own IT department, and of course because of what I have said already, but because this is a small business I am allowed to choose myself. So I will help you

Like I said there is lots to do. There are very clear signs of malware in your HijackThis log, so let's try to take a part down with ComboFix.

Please visit this webpage for download links, and instructions for running the tool:
A guide and tutorial on using ComboFix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Go on with the ComboFix guide when it opens its log please post it together with a new HijackThis log.

Remember that the ComboFix log is saved here: C:\ComboFix.txt

Regards,
John.

**DannyR** · 06-09-2009 03:36 PM

When I attempt to download the combofix, I get a "realtime alert" that states the

Win32/Nircmd.a is detected and will not allow the download.

**DannyR** · 06-09-2009 04:19 PM

I turned of our antitrust antivirus to download the combofix and followed the instructions. The following is the generated log.

ComboFix 09-06-09.05 - Danny 06/09/2009 17:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1495 [GMT -4:00]
Running from: c:\documents and settings\Drafter\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Drafter\Application Data\wiaserva.log
c:\program files\WinBudget
c:\program files\WinBudget\bin\BudgetControls.dll
c:\program files\WinBudget\bin\BudgetDocIcon.ico
c:\program files\WinBudget\bin\BudgetMainWindow.exe
c:\program files\WinBudget\bin\eSellerateControl350.dll
c:\program files\WinBudget\bin\eSellerateEngine.dll
c:\program files\WinBudget\bin\Import2.dll
c:\program files\WinBudget\bin\Interop.ESELLERATECONTROL350Lib.dll
c:\program files\WinBudget\bin\Interop.Import.dll
c:\program files\WinBudget\bin\Matrix.dll
c:\program files\WinBudget\bin\MenuExtender.dll
c:\program files\WinBudget\Budget License - Windows.rtf
c:\program files\WinBudget\Help\ATM.html
c:\program files\WinBudget\Help\Balance.html
c:\program files\WinBudget\Help\Bank_Accounts.html
c:\program files\WinBudget\Help\Calendar.html
c:\program files\WinBudget\Help\Cancel.html
c:\program files\WinBudget\Help\Cash.html
c:\program files\WinBudget\Help\Charge.html
c:\program files\WinBudget\Help\Check_Register.html
c:\program files\WinBudget\Help\Concept.html
c:\program files\WinBudget\Help\Credit.html
c:\program files\WinBudget\Help\Define_Pay.html
c:\program files\WinBudget\Help\Delete_Envelopes.html
c:\program files\WinBudget\Help\Delete_Transaction.html
c:\program files\WinBudget\Help\Editor.html
c:\program files\WinBudget\Help\Envelopes.html
c:\program files\WinBudget\Help\Error.html
c:\program files\WinBudget\Help\Format.html
c:\program files\WinBudget\Help\Group_Envelopes.html
c:\program files\WinBudget\Help\HelpInfo.html
c:\program files\WinBudget\Help\History.html
c:\program files\WinBudget\Help\images\ATM.gif
c:\program files\WinBudget\Help\images\Balance.gif
c:\program files\WinBudget\Help\images\BankAccount1.gif
c:\program files\WinBudget\Help\images\BankAccount2.gif
c:\program files\WinBudget\Help\images\BankAccount3.gif
c:\program files\WinBudget\Help\images\BankAccount4.gif
c:\program files\WinBudget\Help\images\BudgetMain.gif
c:\program files\WinBudget\Help\images\BudgetMainMulti.gif
c:\program files\WinBudget\Help\images\Calendar.gif
c:\program files\WinBudget\Help\images\Charge.gif
c:\program files\WinBudget\Help\images\Charge_Multi.gif
c:\program files\WinBudget\Help\images\Check.gif
c:\program files\WinBudget\Help\images\checkerboard.gif
c:\program files\WinBudget\Help\images\CheckPrintSetup.gif
c:\program files\WinBudget\Help\images\CheckSelectingAccount.gif
c:\program files\WinBudget\Help\images\CreditCheck.gif
c:\program files\WinBudget\Help\images\Deposit.gif
c:\program files\WinBudget\Help\images\EnvelopeAppearance.gif
c:\program files\WinBudget\Help\images\EnvelopeDelete.gif
c:\program files\WinBudget\Help\images\EnvelopeInfo.gif
c:\program files\WinBudget\Help\images\EnvelopePaySetup.gif
c:\program files\WinBudget\Help\images\GroupEnv1.gif
c:\program files\WinBudget\Help\images\GroupEnv2.gif
c:\program files\WinBudget\Help\images\History.gif
c:\program files\WinBudget\Help\images\MultiCheck.gif
c:\program files\WinBudget\Help\images\MultiDeposit.gif
c:\program files\WinBudget\Help\images\PayRecord.gif
c:\program files\WinBudget\Help\images\PaySourcesEditAccount.gif
c:\program files\WinBudget\Help\images\PaySourcesEditFreq.gif
c:\program files\WinBudget\Help\images\PaySourcesEditName.gif
c:\program files\WinBudget\Help\images\PrefsIcons.gif
c:\program files\WinBudget\Help\images\Registration.gif
c:\program files\WinBudget\Help\images\Reminder.gif
c:\program files\WinBudget\Help\images\Reports.gif
c:\program files\WinBudget\Help\images\spacer.gif
c:\program files\WinBudget\Help\images\Transfer.gif
c:\program files\WinBudget\Help\images\TransferAvail.gif
c:\program files\WinBudget\Help\index.html
c:\program files\WinBudget\Help\Keep.html
c:\program files\WinBudget\Help\Make_Deposit.html
c:\program files\WinBudget\Help\Move_Accounts.html
c:\program files\WinBudget\Help\Move_Envelopes.html
c:\program files\WinBudget\Help\Multi.html
c:\program files\WinBudget\Help\MultiCheck.html
c:\program files\WinBudget\Help\Multiple_Accounts.html
c:\program files\WinBudget\Help\Pay_Entry.html
c:\program files\WinBudget\Help\Pref.html
c:\program files\WinBudget\Help\Print_Check.html
c:\program files\WinBudget\Help\Register.html
c:\program files\WinBudget\Help\Reminder.html
c:\program files\WinBudget\Help\Reports.html
c:\program files\WinBudget\Help\Save_Backup.html
c:\program files\WinBudget\Help\Saving.html
c:\program files\WinBudget\Help\Shortcuts.html
c:\program files\WinBudget\Help\Standard_Data_Entry.html
c:\program files\WinBudget\Help\Started.html
c:\program files\WinBudget\Help\StartedCredit.html
c:\program files\WinBudget\Help\TableAmounts.html
c:\program files\WinBudget\Help\ToDo.html
c:\program files\WinBudget\Help\Transfer.html
c:\program files\WinBudget\Help\Variable_Pay.html
c:\program files\WinBudget\Help\Write_Check.html
c:\program files\WinBudget\Help\Write_CreditCheck.html
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Info.plist
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\contents.xml
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon01.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon02.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon03.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon04.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon05.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon06.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon07.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon08.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon09.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon10.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon11.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon12.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon13.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon14.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon15.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon16.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon17.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon18.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon19.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon20.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon21.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon22.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon23.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon24.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon25.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon26.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon27.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon28.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon29.png
c:\program files\WinBudget\plugins\Built In Icons (B&W).budgeticons\Contents\Resources\Icon30.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Info.plist
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\contents.xml
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon01.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon02.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon03.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon04.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon05.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon06.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon07.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon08.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon09.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon10.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon11.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon12.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon13.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon14.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon15.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon16.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon17.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon18.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon19.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon20.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon21.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon22.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon23.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon24.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon25.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon26.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon27.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon28.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon29.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Icon30.png
c:\program files\WinBudget\plugins\Built in Icons (Color).budgeticons\Contents\Resources\Snowflake.tiff
c:\windows\9129837.exe
c:\windows\9g2234wesdf3dfgjf23
c:\windows\Downloaded Program Files\Quarantine
c:\windows\pp10.exe
c:\windows\sonce122730.dat
c:\windows\system\oeminfo.ini
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\eoubinkr.ini
c:\windows\system32\F1
c:\windows\system32\F2
c:\windows\system32\F2\mwspasrt83122.exe
c:\windows\system32\F3
c:\windows\system32\F4
c:\windows\system32\F5
c:\windows\system32\llkkj.bak1
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\mcrh.tmp
c:\windows\system32\nndtfpec.ini
c:\windows\system32\rjgqbsti.ini
c:\windows\system32\setup.ini
c:\windows\system32\SYSDLL.exe
c:\windows\system32\tmp.reg
c:\windows\system32\tnabfmje.ini
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\xgdyjklh.ini

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-09 21:09 . 2009-06-09 21:09 2 ---h--w- c:\windows\ro122366.dat
2009-06-08 12:16 . 2009-06-08 12:16 1 ----a-w- c:\windows\system32\q1.dat
2009-06-08 12:16 . 2009-06-08 12:16 1 ----a-w- c:\windows\system32\idm.dat
2009-06-08 12:16 . 2009-06-08 12:16 1 ----a-w- c:\windows\system32\c2d.dat
2009-06-08 12:13 . 2009-06-08 12:13 30208 ----a-w- c:\windows\system32\xdpod32.dll
2009-06-05 00:32 . 2009-06-05 00:32 -------- d-sh--w- c:\documents and settings\Drafter\IECompatCache
2009-06-05 00:31 . 2009-06-05 00:31 -------- d-sh--w- c:\documents and settings\Drafter\PrivacIE
2009-06-05 00:25 . 2009-06-05 00:25 -------- d-sh--w- c:\documents and settings\Drafter\IETldCache
2009-06-05 00:24 . 2009-06-05 00:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-05 00:19 . 2009-06-05 00:21 -------- dc-h--w- c:\windows\ie8
2009-06-03 15:38 . 2009-06-03 15:39 -------- d-----w- C:\ROD
2009-05-11 00:10 . 2009-05-11 00:10 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 21:09 . 2009-04-01 15:43 117760 ----a-w- c:\documents and settings\Drafter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-09 21:09 . 2009-06-09 21:09 2 ---h--w- c:\windows\ro122381.dat
2009-06-09 21:09 . 2009-06-09 21:09 0 ----a-w- c:\windows\run_1244600253.exe
2009-06-09 21:09 . 2009-06-09 21:09 0 ----a-w- c:\windows\run_1244581824.exe
2009-06-09 21:09 . 2009-06-09 21:09 15360 ---h--w- c:\windows\ld08.exe
2009-06-09 20:14 . 2007-05-22 12:58 -------- d-----w- c:\program files\AutoCAD Civil 3D 2008
2009-06-09 18:51 . 2006-10-28 18:52 -------- d-----w- c:\documents and settings\Drafter\Application Data\AdobeUM
2009-06-09 12:22 . 2007-07-01 20:30 -------- d-----w- c:\program files\LogMeIn
2009-06-04 18:41 . 2007-07-09 21:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-19 13:50 . 2006-10-28 19:22 -------- d-----w- c:\program files\Icpr3
2009-05-12 14:53 . 2006-10-28 18:52 -------- d-----w- c:\documents and settings\Drafter\Application Data\AdobeAUM
2009-05-11 01:20 . 2004-09-10 23:25 171520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-24 18:19 . 2006-10-28 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-04-03 17:35 . 2005-09-01 11:58 171520 ----a-w- c:\documents and settings\Drafter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 16:28 . 2009-04-03 16:10 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-04-03 16:10 . 2009-04-03 16:10 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
1997-06-23 16:06 . 1997-06-23 16:06 287504 --sha-w- c:\windows\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-04 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-01-29 77824]
"HaestadFastStart"="c:\program files\Common Files\Haestad\HaestadFastStart.exe" [2004-10-19 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-12 7311360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"sysldtray"="c:\windows\ld08.exe" [2009-06-09 15360]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-12 1519616]

c:\documents and settings\Drafter\Start Menu\Programs\Startup\
imiupd32.exe [2004-8-4 31232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-20 12:09 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [4/17/2007 2:00 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [7/1/2007 4:30 PM 47640]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\Friday.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]

2009-05-10 c:\windows\Tasks\Full bkup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]

2009-05-12 c:\windows\Tasks\Monday.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]

2008-12-07 c:\windows\Tasks\Saturday-System.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]

2009-05-15 c:\windows\Tasks\Thursday.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]

2009-04-29 c:\windows\Tasks\Tuesday.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]

2009-04-16 c:\windows\Tasks\Wednesday.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
Notify-dimsntfy - (no file)

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {04AB5C18-3FB2-4DB4-98A0-3678C692FD95} = 192.168.1.5,192.168.1.1
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-09 17:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\ld08.exe 15360 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(748)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.1830_x-ww_7ae38ccf\comctl32.dll

- - - - - - - > 'explorer.exe'(2644)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.1830_x-ww_7ae38ccf\comctl32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-09 17:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-09 21:16
ComboFix2.txt 2007-07-08 00:19

Pre-Run: 144,244,527,104 bytes free
Post-Run: 148,014,456,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows xp, Professional" /fastdetect /NoExecute=OptIn

376 --- E O F --- 2009-06-05 14:22

**DannyR** · 06-10-2009 08:56 AM

The combofix seemed to fix my apparent issues. I no longer get redirected and I no longer have pop-ups.

**DannyR** · 06-10-2009 09:55 AM

John, I spoke to soon. The po ups are gone, but the redirect seems to have resurfaced this morning after I rebooted.

eek!

**JohnB151** · 06-10-2009 02:27 PM

In your ComboFix log I detected pirated software. For legal reasons we are not allowed, and we also do not want, to help people who downloaded software illegally.

That is why I have now abandoned this topic. It will also be closed.

Thread: Pesky pop-ups and redirect (fe-search usually)

LinkBack

Thread Tools