Solved Google redirect problem [DDS fails], browsers crash

Yes, I did run the GMER the way you instructed.

Combofix is running...right now it's installing the recovery console...report to follow soon, I hope.

 

Just now finished!

ComboFix 09-03-31.01 - Niki 2009-04-01 0:36:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.325 [GMT -5:00]
Running from: c:\documents and settings\Niki\Desktop\C-Fix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated)
FW: Norton 360 Premier Edition *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-29 00:30 . 2009-03-29 00:31 <DIR> d-------- c:\documents and settings\Niki\DoctorWeb
2009-03-28 17:15 . 2009-03-28 17:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-03-27 21:57 . 2009-03-27 21:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Ipswitch
2009-03-23 22:05 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-23 22:04 . 2009-03-23 22:04 <DIR> d-------- c:\program files\Panda Security
2009-03-22 16:25 . 2009-03-22 16:25 <DIR> d-------- C:\rsit
2009-03-22 02:24 . 2009-03-22 02:26 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-22 02:12 . 2009-03-22 02:12 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 05:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 21:33 --------- d-----w c:\program files\Common Files\Adobe
2009-03-25 04:29 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 19:10 --------- d-----w c:\documents and settings\Niki\Application Data\Apple Computer
2009-03-02 06:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-01 07:05 --------- d--h--w c:\documents and settings\Niki\Application Data\Move Networks
2009-02-20 03:32 110,760 ----a-w c:\documents and settings\Niki\Application Data\GDIPFONTCACHEV1.DAT
2009-02-19 17:31 96,560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 17:31 9,844 ----a-w c:\windows\system32\drivers\SymRedir.cat
2009-02-19 17:31 41,008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 17:31 38,576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 17:31 37,424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 17:31 31,280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 17:31 22,320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 17:31 184,496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 17:31 13,616 ----a-w c:\windows\system32\drivers\symdns.sys
2009-02-19 17:31 1,611 ----a-w c:\windows\system32\drivers\SymRedir.inf
2009-02-18 04:32 --------- d-----w c:\program files\Safari
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-12 05:34 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-01-12 05:11 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-01-06 04:16 32,549 ----a-w c:\windows\king-uninstall.exe
2008-12-30 06:34 952 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2007-01-14 19:17 92,064 -c--a-w c:\documents and settings\Niki\mqdmmdm.sys
2007-01-14 19:17 9,232 -c--a-w c:\documents and settings\Niki\mqdmmdfl.sys
2007-01-14 19:17 79,328 -c--a-w c:\documents and settings\Niki\mqdmserd.sys
2007-01-14 19:17 66,656 -c--a-w c:\documents and settings\Niki\mqdmbus.sys
2007-01-14 19:17 6,208 -c--a-w c:\documents and settings\Niki\mqdmcmnt.sys
2007-01-14 19:17 5,936 -c--a-w c:\documents and settings\Niki\mqdmwhnt.sys
2007-01-14 19:17 4,048 -c--a-w c:\documents and settings\Niki\mqdmcr.sys
2007-01-14 19:17 25,600 -c--a-w c:\documents and settings\Niki\usbsermptxp.sys
2007-01-14 19:17 22,768 -c--a-w c:\documents and settings\Niki\usbsermpt.sys
2007-01-13 21:45 774,144 -c--a-w c:\program files\RngInterstitial.dll
2008-06-30 18:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupport "= "c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"TivoTransfer "= "c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-07-09 1189376]
"TivoNotify "= "c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-07-09 394240]
"TivoServer "= "c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-07-09 1931264]
"AOL Fast Start "= "c:\program files\AOL 9.1\AOL.EXE" [2008-06-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint "= "c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher "= "c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray "= "c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-23 26112]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"MimBoot "= "c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 8192]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"FinePrint Dispatcher v5 "= "c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2008-04-18 520192]
"AOLDialer "= "c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager "= "c:\program files\Common Files\AOL\1174444274\ee\AOLSoftware.exe" [2008-06-24 41824]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"Adobe Version Cue CS2 "= "c:\program files\AdobeCS2\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"medicsp2 "= "c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 198184]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck "= "c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"bacstray "= "c:\program files\Broadcom\BACS\\BacsTray.exe" [2004-08-18 118784]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"StxTrayMenu "= "c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Corel File Shell Monitor "= "c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe" [2008-07-09 37888]
"Corel Photo Downloader "= "c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-08 532808]
"Nikon Transfer Monitor "= "c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM "= "c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

c:\documents and settings\Niki\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - c:\program files\Seagate\AutoBackup\MemeoLauncher.exe [2008-01-14 95456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-12-17 25214]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-23 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-09-30 485208]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Snagit 9.lnk - c:\program files\TechSmith\SnagIt 9\Snagit32.exe [2009-01-22 7225672]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-09-03 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo "= CSvidcap.dll
"vidc.3IV2 "= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\America Online 9.0\\waol.exe "=
"c:\\Program Files\\Common Files\\AOL\\1174444274\\ee\\aolsoftware.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AdobeCS2\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe "=
"c:\\Program Files\\AOL 9.1\\waol.exe "=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\ICQ6.5\\ICQ.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-23 28544]
R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2007-09-05 24635]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-12-29 57344]
R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 149352]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2008-01-08 202280]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-07-18 157000]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-07-09 868864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-12-25 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-12-25 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-12-25 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-12-25 59520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/browsers/redirect/?b=RRHSO_BLD1&CMP=OTC-RRHSO_BLD1HPRR&d=homerr
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Niki\Application Data\Mozilla\Firefox\Profiles\2421wmze.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Niki\Application Data\Mozilla\Firefox\Profiles\2421wmze.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 00:46:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\wanmpsvc.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\Broadcom\BACS\BacsTray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AOL 9.1\waol.exe
c:\program files\TechSmith\SnagIt 9\TscHelp.exe
c:\program files\TechSmith\SnagIt 9\SnagPriv.exe
c:\program files\TechSmith\SnagIt 9\SnagitEditor.exe
c:\program files\Seagate\AutoBackup\MemeoBackup.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\program files\AOL 9.1\shellmon.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
.
**************************************************************************
.
Completion time: 2009-04-01 1:00:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 05:59:17

Pre-Run: 40,516,489,216 bytes free
Post-Run: 40,445,100,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

266 --- E O F --- 2009-03-31 05:19:06

 

Hi Niki,

Looking good.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

**Vista users - right click on the IE icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

 

Bad news, Ried.

My husband just called and said the Kaperinsky program crashed in the middle of scanning. So he read me the info (as best as he could).

Scanning process.exe

Scanning process.exe has encountered a problem and needs to close. We are sorry for the inconvenience. If you are in the middle of something, the information you were working on might be lost. Please tell Microsoft about this problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contains, click here.

Clilck here reports = Error signature
event type: bex p1:scanningprocess.exe p2:f.0.1.86 p3: 47584f5e
p4: mdb.ppl p5: 6.0.2.678 p6: 45ffbfca p7: 00004f6
p8: c0000409 p9: 00000000
Reporting details:
This error report includes:
Information regarding the condition of scanning process.exe when the problem occurred, the operating system version and computer hardware in use and the internet protocol (IP) address of your computer.

Technical Information:
error report contents:
The following files will be \WERa32f.dir00\scanningprocess.exe.mdmp
\WERa32f.dir00\appcompat.txt


Thanks.

Niki

 

Was Symantec AV disabled while you were running the online scan? If not, be sure to disable it, then try again.

If Symantec was disabled, then perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
  
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information ". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Post the results in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

 

Yes, both Norton AV and FW were disabled before I ran the scan. I will do the Panda thing if I ever get home tonight.

 

Here is the log:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-02 07:51:41
PROTECTIONS: 1
MALWARE: 17
SUSPECTS: 4
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton 360 Premier Edition 2007 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\niki\favorites\health
00046761 adware/xupiter Adware No 0 Yes No c:\documents and settings\niki\favorites\free stuff
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@247realmedia[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@tribalfusion[1].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@7search[2].txt
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Don\Cookies\don@findwhat[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@ad.yieldmanager[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@server.iad.liveperson[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@advertising[2].txt
00170532 Cookie/Admotion TrackingCookie No 0 Yes No C:\Documents and Settings\Don\Cookies\don@admotion.com[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Niki\Cookies\niki@adrevolver[2].txt
00199982 Cookie/Buydomains TrackingCookie No 0 Yes No C:\Documents and Settings\Don\Cookies\don@www47.buydomains[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Don\Cookies\don@target[1].txt
02164907 Generic Malware Virus/Trojan No 0 Yes Yes C:\Program Files\DIGStream\digstream.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP664\A0112368.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location 7
;===================================================================================================================================================================================
No C:\Documents and Settings\Niki\Desktop\C-Fix.exe 7
No C:\Documents and Settings\Niki\DoctorWeb\Quarantine\C-Fix.exe 7
No C:\Documents and Settings\Niki\DoctorWeb\Quarantine\CobbmboFix.exe 7
No E:\Memeo\Laptop Backup\C_\Documents and Settings\Niki\Desktop\C-Fix.exe 7
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 7
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Hi Niki,

Delete these folders:

c:\documents and settings\niki\favorites\free stuff
c:\documents and settings\niki\favorites\health

Clear those undesirable tracking cookies. Launch IE>Tools>Internet Options

Under Browsing history>Delete>Cookies


How is the system behaving?

 

I am able to Google to Symantec and bleepingcomputers, so that's an improvement!

 

Glad to hear that, because your logs are coming up clean now.

If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

===================================

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

=============================

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, you will likely find this well written article a good read:

Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

 

Hi Ried,

What about the last two items in my Panda scan?

02164907 Generic Malware Virus/Trojan No 0 Yes Yes C:\Program Files\DIGStream\digstream.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP664\A0112368.sys

***DUH*** Sorry I now understand what you meant about the new restore.

Do you know how do I clear out my external hard drive so I can start over with a clean backup?

Also, if I currently have Norton 360, can I run any of the programs you mentioned with it?

 

C:\System Volume Information\, is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. But--as I mentioned--when you uninstall ComboFix with the combofix /u command, it will clear that and reset your system with a fresh restore point.

I'm not sure what you mean by clear out external drive. Is Windows installed on it?

And yes, the tools I gave you will not conflict with Norton 360. They work silently in the background. Spyware Blaster focuses on bad ActiveX controls that try to download on your computer. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database, and list of restricted sites--after you've installed it, launch the program and click on each of the tabs on the main display page.

 

I know a couple of the infected files showed up in my backup file that points to my external hard drive. I thought I should erase the contents and start over with a new backup. Windows is not stored on the external drive.

I did uninstall Combofix.

I'll let you know tomorrow how things are. Thank you again for saving me )

 

Since Windows is not installed on E: go ahead and erase it all, and create a fresh backup.

I'll remain subscribed. Tell me how it works out for you.

 

Ried, things have been great for the last couple of days!

Thank you very much for all your help.

Niki

 

Great, glad to hear it.

Take care, and enjoy what's left of the weekend!

 

Thanks Ried.
Very nice work.

Hi Niki
It's good to have friend that are good at what they do.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

I'll mark this one resolved.

Surf Safely
Geri