Solved Google Redirect & Slow Connection

LuckyMoody · 2009/05/02

Hi Juliet,

Yesterday I wasn't able to run the Panda Active Scan, but today I was able to do so. I have three logs for you to check out, the Panda as well as the Virus Total scans of Internet Explorer & avp.id.

Here's the Panda:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-05-02 14:36:58
PROTECTIONS: 1
MALWARE: 33
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\Cookies\julie@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\Cookies\julie@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\system@atdmt[1].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@tradedoubler[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\Cookies\julie@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@mediaplex[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@revenue[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\Cookies\julie@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@apmebf[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@bs.serving-sys[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\Cookies\julie@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\Cookies\julie@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@zedo[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@adrevolver[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@searchportal.information[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Cookies\moderncsi@atwola[1].txt
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Julie\Desktop\Flash_Disinfector.zip[Flash_Disinfector.exe][Flash_Disinfector.exe][nircmd.exe]
02164907 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\DIGStream\digstream.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\ppzzra[1].htm
04890381 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\A0016042.exe
04890381 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\A0016041.exe
04890381 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\A0016040.exe
05015155 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\lsp[1]_0.exe
05015155 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\lsp[1].exe
05022076 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Local Settings\Temp\winlognn.exe
05035146 Adware/SpywareGuard2008 Adware No 0 Yes No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\ccsuper1[10.htm
05035146 Adware/SpywareGuard2008 Adware No 0 Yes No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\ccsuper1[1].htm
05394940 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\InternetExplorer.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location d
;===================================================================================================================================================================================
No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\A0016600.exe d
No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\A0016601.exe d
No C:\Documents and Settings\Julie\DoctorWeb\Quarantine\A0016604.exe d
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description d
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Here is the Internet Explorer dll scan:

File InternetExplorer.dll received on 05.02.2009 23:53:22 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.02 -
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.05.02 PHISH/Fraud.Agent.MC
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.02 -
Avast 4.8.1335.0 2009.05.02 Win32:Trojan-gen {Other}
AVG 8.5.0.327 2009.05.02 Fake_AntiSpyware.BYL
BitDefender 7.2 2009.05.02 -
CAT-QuickHeal 10.00 2009.05.02 FraudTool.Agent.mc (Not a Virus)
ClamAV 0.94.1 2009.05.02 -
Comodo 1147 2009.05.02 TrojWare.Win32.PSW.OnlineGames.~CZZ
DrWeb 4.44.0.09170 2009.05.02 -
eSafe 7.0.17.0 2009.04.30 -
eTrust-Vet 31.6.6487 2009.05.02 Win32/FakeAV.APH
F-Prot 4.4.4.56 2009.05.02 -
F-Secure 8.0.14470.0 2009.05.02 FraudTool.Win32.Agent.mc
Fortinet 3.117.0.0 2009.05.02 Misc/Agent
GData 19 2009.05.02 Win32:Trojan-gen {Other}
Ikarus T3.1.1.49.0 2009.05.02 -
K7AntiVirus 7.10.722 2009.05.02 not-a-virus:FraudTool.Win32.Agent.mc
Kaspersky 7.0.0.125 2009.05.02 not-a-virus:FraudTool.Win32.Agent.mc
McAfee 5603 2009.05.02 potentially unwanted program Generic PUP
McAfee+Artemis 5603 2009.05.02 potentially unwanted program Generic PUP
McAfee-GW-Edition 6.7.6 2009.05.02 -
Microsoft 1.4602 2009.05.02 Trojan:Win32/FakePlus
NOD32 4049 2009.05.01 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.02 -
Panda 10.0.0.14 2009.05.02 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.05.02 -
Prevx1 3.0 2009.05.02 Medium Risk Malware
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 Troj/Fakevir-IL
Sunbelt 3.2.1858.2 2009.05.02 Trojan-Win32/FakePlus
Symantec 1.4.4.12 2009.05.02 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 TROJ_FAKEVIR.AB
VBA32 3.12.10.4 2009.05.02 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.02 -

Additional information
File size: 635392 bytes
MD5...: 892d3f4d513089b891fc7592ab217bce
SHA1..: 864fc3f84958fb94ff08f40b864275b9523dc26d
SHA256: b206e6005506abcdc7e85876c104ae9c586f1fe2b65538a3774ef7e3dd2289bd
SHA512: 14818656895cea3ece867f26990ac467af52994d59782e51958afe2f3e1f1f6e dfa141efedfccf28a68ef929f5da1fab0fa2c0a482f231f1e30508f6bde02393
ssdeep: 12288:dDwP/V7AnKd58GfOcrruYs/oZvgqX2lLKkN:dDq95dCGlXumg8mP 
PEiD..: -
TrID..: File type identification Win32 Executable Delphi generic (50.1%) Win32 Executable Generic

And here is the avp id scan:

File avp.id received on 05.03.2009 00:01:39 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.02 -
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.05.02 -
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.02 -
Avast 4.8.1335.0 2009.05.02 -
AVG 8.5.0.327 2009.05.02 -
BitDefender 7.2 2009.05.02 -
CAT-QuickHeal 10.00 2009.05.02 -
ClamAV 0.94.1 2009.05.02 -
Comodo 1147 2009.05.02 -
DrWeb 4.44.0.09170 2009.05.02 -
eSafe 7.0.17.0 2009.04.30 -
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.02 -
F-Secure 8.0.14470.0 2009.05.02 -
Fortinet 3.117.0.0 2009.05.02 -
GData 19 2009.05.02 -
Ikarus T3.1.1.49.0 2009.05.02 -
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.02 -
McAfee 5603 2009.05.02 -
McAfee+Artemis 5603 2009.05.02 -
McAfee-GW-Edition 6.7.6 2009.05.02 -
Microsoft 1.4602 2009.05.02 -
NOD32 4049 2009.05.01 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.02 -
Panda 10.0.0.14 2009.05.02 -
PCTools 4.4.2.0 2009.05.02 -
Prevx1 3.0 2009.05.03 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 -
Sunbelt 3.2.1858.2 2009.05.02 -
Symantec 1.4.4.12 2009.05.02 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.02 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.02 -

Additional information
File size: 5 bytes
MD5...: 5f722c3055ad1cd5a878a3f4d8f4bcbd
SHA1..: e012946988f5762e840872f60274d47a785b87f5
SHA256: 62097da5f0d32b872885611f710056d3a1992ced1a6891844fb43e801c15ef5e
SHA512: 6dcbb36cf978c53aff2d7ace7a9173e23273223ca65dbc54f8248b2a0018e982 331985711432184bcfb1358e16b3272b75b60efff9dfdd8c78bc16bdccdd8d65
ssdeep: 3:mVV:mn 
PEiD..: -
TrID..: File type identification file seems to be plain text/ASCII (0.0%)
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set -

I have a feeling you are right about the McAfee slowing my system. Is there another anti-virus that wouldn't have this effect on my computer that you would recomend?

Juliet · 2009/05/03

Welcome back

It's kinda odd that from Virus total when McAfee scans your file it found it to be infected but the version on your computer didn't. I'd say thats a ''hmmmm'' moment
So in this case your were not protected.

A couple of items found in the online scan are from the tools loaded onto your computer and are false/positives, so no worry there. I'll make sure we cover all bases and quarantine files do get removed.

What is the reference to My Documents\ModernCSI
Is this downloaded reading material?

I'll be happy to supply you with a list of free Antivirus and Firewalls to install.
I'll post this at the end.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
(Not an necessary item, will free up resources)

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
(Description: RealPlayer system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
(This is a valid program but it is not required to run on startup.Not necessary)

O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
(This is a valid program but it is not required to run on startup.Not necessary)

O4 - HKLM\..\Run: [ISUSScheduler] \ "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe\" -start
(Description: InstallShield updater - not needed at startup. Removing this may free up system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \ "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\ "
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(This is a valid program but it is not required to run on startup.)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download OTMoveIt3 by OldTimer and save it to your desktop

Double-click OTMoveIt3.exe to run it.

Copy the lines in the codebox below. ( Make sure you include rocesses )
Code:
:Processes
explorer.exe
:Files
C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\ppzzra[1].htm
C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Local Settings\Temp\winlognn.exe
C:\WINDOWS\system32\InternetExplorer.dll
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

- Close ALL open windows (especially Internet Explorer!)-

Click the red Moveit! button.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

In your next reply post:
OTMoveIt log
New HJT log

I can give you links to free Antivirus and Firewall programs which are used by a very many.
What you'll probably have to do is experiment some what to find one that runs well on your machine.

Avira

Avast!
How to Install, Configure, and Use Avast Antivirus

AVG Free ,
Help overview http://free.grisoft.com/doc/5/us/frt/0/num/616#faq_616
This is a very useful read:
http://grandstreamdreams.blogspot.com/2008/04/taming-avg-free-version-8.html

Never install more than one antivirus scanner or firewall on your system

Free Antivirus With Resident Protection and other related resources.
http://users.telenet.be/bluepatchy/miekiem...irus%20Scanners
For paid products, I like NOD32 by Eset and Kaspersky

You can see some product comparisons here:

www.av-comparatives.org
If installing a Firewall please disable WIndows XP Firewall.
To disable Windows Firewall, follow these steps:
1. Click Start.
2. Click Run.
3. Type Firewall.cpl, and then click OK.
4. On the General tab, click Off (not recommended).
5. Click OK.
********************

The following FREE Firewall versions are:
Zone Alarm free:
http://www.zonealarm.com/store/content/cat...ry=US〈=en
PDF documention for Zone Alarm available here:
http://www.zonealarm.com/store/content/sup...a/znalmMain.jsp
If you are going to try Zone Alarm I suggest to just install the basic firewall so the bundled trial Antivirus does not get installed, Also I recommend NOT installing the new optional feature Spy Blocker, as it's run by the questionable search engine Ask.com. You can read more about Ask.com http://www.benedelman.org/spyware/installa...kjeeves-banner/

Comodo free:
http://www.personalfirewall.comodo.com/
If you want only the Firewall, you can de-select Install Comodo AntiVirus during the installation process.
http://forums.comodo.com/firewall_faq/where_is_the_standalone_firewall-t27112.0.html
Comodo (Uncheck during installation "Install Comodo SafeSurf.. ", Make Comodo my default search provider" and "Make Comodo Search my homepage ")

Sunbelt kerio:
http://www.sunbelt-software.com/Home-Home-...ewall/Download/
PDF documentation for Sunbelt Kerio available here:
http://www.sunbelt-software.com/Home-Home-.../Documentation/

Online Armor Free
http://www.tallemu.com/free-firewall-prote...n-software.html

Jetico free:
http://www.jetico.com/index.htm#/jpfirewall.htm

Note: You must only use 1 (one) Firewall at a time because if you have 2 or more Firewalls running at the same time, they will conflict with each other and make your security less reliable.
The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of available ones see the link Here

LuckyMoody · 2009/05/03

Hi Juliet,

You asked What is the reference to My Documents\ModernCSI
Is this downloaded reading material?
ModernCSI is Modern Construction Services, Inc., my husbands company. He's a general contractor.

Thanks for the anti-virus & firewall downloads. I think I'll be kicking McAfee to the curb and trying something a little more user friendly.

Here is the OTMoveIt log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\ppzzra[1].htm moved successfully.
C:\Documents and Settings\Julie\My Documents\ModernCSI\ModernCSI\Local Settings\Temp\winlognn.exe moved successfully.
C:\WINDOWS\system32\InternetExplorer.dll unregistered successfully.
C:\WINDOWS\system32\InternetExplorer.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\JETF72C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Julie\LOCALS~1\Temp\~DF767A.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Julie\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcmsc_hKuxFtKhyTwgaFq scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_IdC0pIi7RNKKWqD scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_VPoBdJAMzpfpBhF scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_yDtXfKnWfYPbqMu scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_YzbzZxDIOE1xtM3 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_24AJ3QNpBMDZD5P scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_69wHFefnLdYK5xx scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_8IwLEwF07Mtxg5F scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_cCFrhOU3ZoXTyzk scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_eQTsVKLWa7INMCn scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_FtodXJByR17MT0g scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_GhMDkqt8PUwwSyG scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_I92jghN0mmvT9z6 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_iAO6RTOlXuvV9mb scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_K4u4YM07R5tDb07 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_OfNlUYPg4cAAbsl scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_OFpqape2IwcDnbJ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_RJM9923gr70U6fz scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_Si5To8s4hHqRKAs scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_wAhIPoBFhf77IPJ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_xPgI7yV5t4pQaD0 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_xPhRoWO1UVATHOI scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05032009_160619

I did reboot.

Here is an updated HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:21 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Mcafee\MWL\MWLGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe "
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 964\memcard.exe "
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: MBackMonitor - - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\Program Files\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 9079 bytes

I don't know if this matters, but I did create the HJT log before I did the OTMoveIt.

Thanks again for all your time & follow-up.

J.

Juliet · 2009/05/04

My Documents\ModernCSI <--The reason I ask is, it's possible the infection or part of it came through his companies network, or he had used a Flash/USB drive to copy over to this computer?.

Something, and I can't put my finger on it, might have come through connecting to his company.
A security hole in a router, the network has an infected computer connected, several ways something can get in and spread.
I'm just concerned which ever way could possibly infect your machine again.

I don't know if this matters, but I did create the HJT log before I did the OTMoveIt.
Thanks again for all your time & follow-up.
Click to expand...

Not really, we were after deletions from the online scan.
And your very welcome.

I think we can start removing tools and scanners from your computer.

GMER Rootkit Scanner <--you can delete
ark.txt <--delete this file.

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Click START then RUN

Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below

NEXT**
Next open OTMoveIt, then click on "CleanUp! ".
If you receive a warning from your Firewall please allow...
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OTMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.

Then reboot your computer.

Lastly, how's the computer before I give you a few preventive tips?

LuckyMoody · 2009/05/04

Hi Juliet,

I'm puzzled by the reference to the companies network and that it could have an infected computer connected to it. We only have one desktop computer and he also has a laptop, as does my son.
But it is very possible that an infected Flash/USB drive was used. I certainly don't want this to happen again, so we will remedy that potential problem.

The tools and scanners have been removed and my computer has been rebooted.

All is well again and I'm ready for the tips.

I'm excited to have 'resolved' next to my heading. I keep saying this, but thank you, thank you, thank you. I really can't say it enough.

J.

Juliet · 2009/05/04

I'm puzzled by the reference to the companies network and that it could have an infected computer connected to it. We only have one desktop computer and he also has a laptop, as does my son.
But it is very possible that an infected Flash/USB drive was used. I certainly don't want this to happen again, so we will remedy that potential problem.
Click to expand...

I thought you meant the computer was networked in from within the home.

Many people are becoming infected using USB/Flash drives between different computers, actually an outstanding number. Some infections that transfer this way can be very devastating and non repairable.

All is well again and I'm ready for the tips.

I'm excited to have 'resolved' next to my heading. I keep saying this, but thank you, thank you, thank you. I really can't say it enough.
Click to expand...

I think we're there, LOL, you are so very welcome.
You make it easier and a much better experience by saying thank you.

Thats it. Your good to go, good job!

Please take the time to read over a few of my preventive tips.

Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.

Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Log in or Sign up

Solved Google Redirect & Slow Connection

LuckyMoody Inactive Thread Starter

Juliet Well-Known Member

LuckyMoody Inactive Thread Starter

Juliet Well-Known Member

LuckyMoody Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Log in or Sign up

Solved Google Redirect & Slow Connection

LuckyMoody Inactive Thread Starter

Juliet Well-Known Member

LuckyMoody Inactive Thread Starter

Juliet Well-Known Member

LuckyMoody Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Useful Searches