HERE'S WHAT I DONE :Restarted Windows in "SAFE MODE"
UPDATED AND RAN COMBOFIX while in "SAFE MODE"
Restarted windows normally...
After this I went to the link and dowloaded Adobe reader and flash player without incident. The download worked perfectly.
I will do some surfing and see if the redirects return...
Does This Make any Sense to you ??
Here is the Combofix log generated IN SAFE MODE :
ComboFix 11-05-04.02 - Administrator 05/04/2011 17:43:59.5.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.372 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-04 21:34 . 2011-05-04 21:34 -------- d-----w- c:\windows\LastGood
2011-05-04 21:34 . 2011-05-04 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2011-05-04 21:34 . 2011-05-04 21:34 -------- d-----w- c:\program files\NOS
2011-05-01 04:22 . 2011-05-01 04:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-04-30 03:04 . 2011-04-30 03:04 -------- d-----w- c:\program files\Common Files\Java
2011-04-30 03:03 . 2011-04-30 03:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-29 18:55 . 2011-04-29 18:55 -------- d-----w- c:\program files\SpywareBlaster
2011-04-29 17:17 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-29 17:17 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-29 17:16 . 2011-04-29 17:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-29 04:12 . 2011-04-29 04:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-29 04:11 . 2011-04-29 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2011-04-29 02:44 . 2011-04-29 02:44 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-04-06 03:53 . 2011-04-06 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Visan
2011-04-06 03:53 . 2011-04-06 03:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Visan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-30 03:03 . 2010-06-14 23:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-07 05:33 . 2008-03-19 20:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 01:33 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
.
(((((((((((((((((((((((((((((
SnapShot@2011-05-01_04.08.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-22 00:01 . 2011-05-03 06:54 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-08-22 00:01 . 2011-05-01 03:39 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-04-11 21:19 . 2011-04-11 21:19 2871968 c:\windows\Downloaded Program Files\CONFLICT.3\FP_AX_CAB_INSTALLER.exe
+ 2008-05-16 13:10 . 2011-04-18 19:46 42181064 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-29 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-2-8 118784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 8:00 AM 14336]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NOSGETPLUSHELPER
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-03 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-05-04 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-05-04 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-05-03 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-05-04 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2011-02-15 10:11]
.
2011-05-04 c:\windows\Tasks\User_Feed_Synchronization-{3B4D977E-C19F-430F-9103-FF7C81BB2953}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
DPF: Garmin Communicator Plug-In -
hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CABDPF: Microsoft XML Parser for Java -
file:///C:/WINDOWS/Java/classes/xmldso.cab.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2011-05-04 17:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-746137067-1960408961-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,be,6c,8f,58,01,7e,4a,b7,40,9a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,55,c8,63,8c,bd,5a,49,82,c9,5e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,be,6c,8f,58,01,7e,4a,b7,40,9a,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,be,6c,8f,58,01,7e,4a,b7,40,9a,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9e,be,6c,8f,58,01,7e,4a,b7,40,9a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-05-04 17:50:17
ComboFix-quarantined-files.txt 2011-05-04 21:50
ComboFix2.txt 2011-05-03 18:52
ComboFix3.txt 2011-05-01 04:12
ComboFix4.txt 2010-06-18 10:15
.
Pre-Run: 49,982,218,240 bytes free
Post-Run: 49,980,854,272 bytes free
.
- - End Of File - - 11F10FD4CB729D4BCDDFC35111618A4E