Hi and welcome to the Daniweb forums .

==========

Which browser is being re-directed?

I see you have run MBA-M. Please post it's log.

Firefox...i dont use internet explorer so I don't know if that browser is doing it. Malware bytes twice found infected files...since then it has not. I will post both below. (sorry for not getting back to you, working a poll for election day) Thanks!

Malwarebytes' Anti-Malware 1.41
Database version: 3051
Windows 6.0.6002 Service Pack 2

10/29/2009 12:14:32 AM
mbam-log-2009-10-29 (00-14-32).txt

Scan type: Quick Scan
Objects scanned: 99882
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{03cf6531-52e3-3c7d-8162-e0d0fec59f55} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8a3093be-c27a-388e-8c08-74a1d8839941} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bc019a13-ecfe-3c1d-bf57-bb8daaf293d9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bc019a13-ecfe-3c1d-bf57-bb8daaf293d9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc019a13-ecfe-3c1d-bf57-bb8daaf293d9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\D.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32\ConTest.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Sotfone (Trojan.Zlob) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\ConTest.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
C:\Windows\System32\sq82248.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Windows\System32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
C:\Users\Joe\AppData\Local\Temp\0.6244732476470437.exe (Trojan.Buzus) -> Quarantined and deleted successfully.




SECOND RUN WITH INFECTED FILES




Malwarebytes' Anti-Malware 1.41
Database version: 3051
Windows 6.0.6002 Service Pack 2

10/29/2009 8:22:52 AM
mbam-log-2009-10-29 (08-22-52).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|L:\|M:\|)
Objects scanned: 318283
Time elapsed: 1 hour(s), 27 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Joe\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\2432330f-2d858d22 (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\Users\Joe\Documents\SpeedScan_setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Please download jpshortstuff's GooredFix.exe to your Desktop.
-- Make sure all browsers are Closed and then DoubleClick GooredFix.exe to run it.
A dialog box should pop up:
"GooredFix will automatically check for and remove infection. Click Yes to continue or No to exit."
-- Click Yes and allow the tool to run. It should go pretty quickly.
-- Look for GooredFix.txt on your Desktop and post that log for me.

Are you still being re-directed?

GooredFix by jpshortstuff (24.09.09.1)
Log created at 20:47 on 03/11/2009 (Joe)
Firefox version 3.0.15 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org [22:53 18/02/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:53 18/02/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:36 04/02/2009]

---------- Old Logs ----------
GooredFix[19.55.49_03-11-2009].txt
GooredFix[19.59.13_03-11-2009].txt

-=E.O.F=-







I am still being redirected, but with less frequency

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

ComboFix 09-11-03.01 - Joe 11/04/2009 0:02.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.916 [GMT -5:00]
Running from: c:\users\Joe\Desktop\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 05:15 . 2009-11-04 05:15 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2009-11-04 05:15 . 2009-11-04 05:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-03 17:07 . 2009-11-03 17:07 -------- d-----w- c:\program files\Alwil Software
2009-11-03 16:46 . 2009-11-03 16:46 -------- d-----w- c:\program files\CCleaner
2009-11-02 22:26 . 2009-11-02 22:20 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-02 22:20 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-02 22:16 . 2009-11-02 22:16 -------- d-----w- c:\program files\Lavasoft
2009-10-30 21:49 . 2009-10-30 21:49 -------- d-----w- c:\users\Joe\AppData\Roaming\GetRightToGo
2009-10-30 11:57 . 2009-10-30 11:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-30 11:57 . 2009-10-30 11:57 -------- d-----w- c:\users\Joe\AppData\Roaming\SUPERAntiSpyware.com
2009-10-30 11:56 . 2009-10-30 11:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-30 11:51 . 2009-10-30 21:16 -------- d-----w- c:\program files\SpywareBlaster
2009-10-29 04:08 . 2009-10-29 04:08 -------- d-----w- c:\users\Joe\AppData\Roaming\Malwarebytes
2009-10-29 04:08 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 04:08 . 2009-10-29 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 04:08 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 03:58 . 2009-10-29 03:58 1152 ----a-w- c:\windows\system32\windrv.sys
2009-10-29 01:41 . 2009-10-29 01:41 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 07:40 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 07:40 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-22 21:13 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-22 21:13 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-22 21:13 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-22 21:12 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-22 21:12 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-22 21:11 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 20:00 . 2009-11-03 20:00 -------- d-----w- c:\program files\Trend Micro
2009-11-03 19:41 . 2008-12-10 20:58 -------- d-----w- c:\program files\Norton Security Scan
2009-11-03 18:39 . 2007-12-08 02:15 -------- d-----w- c:\users\Joe\AppData\Roaming\Spare Backup
2009-10-25 23:48 . 2008-03-12 00:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-22 21:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-22 21:20 . 2007-09-24 19:37 -------- d-----w- c:\program files\Microsoft Works
2009-10-01 14:29 . 2009-10-03 03:34 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-24 14:52 . 2009-02-01 04:58 -------- d-----w- c:\users\Sarah\AppData\Roaming\LimeWire
2009-09-24 14:51 . 2007-12-11 00:21 87096 ----a-w- c:\users\Sarah\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-24 12:09 . 2009-09-22 21:31 -------- d-----w- c:\users\Joe\AppData\Roaming\BitTorrent
2009-09-22 21:30 . 2009-09-22 21:30 -------- d-----w- c:\program files\BitTorrent
2009-09-22 21:30 . 2009-02-10 04:25 -------- d-----w- c:\users\Joe\AppData\Roaming\FrostWire
2009-09-13 17:11 . 2009-04-01 01:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 00:27 . 2009-09-02 23:08 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:08 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-22 21:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:22 . 2009-08-27 05:22 10240 ----a-w- c:\windows\system32\ctfmon_gz.exe
2009-08-27 05:17 . 2009-10-22 21:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-22 21:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-22 21:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-10 02:47 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 02:47 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 02:47 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 02:47 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 02:47 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 02:47 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 02:47 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 02:47 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 02:47 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 02:47 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 02:47 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-07 02:24 . 2009-10-03 03:30 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-10-03 03:30 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-10-03 03:30 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:23 . 2009-10-03 03:30 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-10-03 03:30 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 01:45 . 2009-10-03 03:30 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-08-07 01:44 . 2009-10-03 03:30 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-08-06 23:23 . 2009-10-03 03:29 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-06 22:44 . 2009-10-03 03:29 33792 ----a-w- c:\windows\system32\wuapp.exe
.

------- Sigcheck -------

[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\ERDNT\cache\atapi.sys
[-] 2009-04-11 06:32 . F51C0023CF40066DD9782BAE451740AA . 19944 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[7] 2008-02-13 . B35CFCEF838382AB6490B321C87EDF17 . 21560 . . [6.0.6000.16632] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Spare Backup"="c:\program files\Spare Backup\SpareBackup.exe" [2007-07-13 5252936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-04-23 4435968]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-04-13 1822720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-04 40072]

c:\users\Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-1-29 139776]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):01,67,b4,30,a7,0c,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3352549485-4007945283-2351025167-1000]
"EnableNotificationsRef"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [11/2/2009 5:20 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 2:00 AM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\System32\drivers\WUSB54GCx86.sys [3/12/2007 9:12 AM 256000]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]
S3 rt70x86;Belkin Wireless G USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr70.sys [10/9/2007 4:43 AM 291840]
S3 SaiH0461;SaiH0461;c:\windows\System32\drivers\SaiH0461.sys [4/22/2008 2:35 PM 182528]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMONFLT
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-04-01 13:49]

2009-10-30 c:\windows\Tasks\Norton Security Scan for Joe.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 09:18]

2009-11-03 c:\windows\Tasks\User_Feed_Synchronization-{A23FE189-B393-4C77-8143-5C64C5F68574}.job
- c:\windows\system32\msfeedssync.exe [2009-10-22 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\yjo4uugf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\yjo4uugf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 00:16
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8673EE07]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(268)
c:\program files\Pure Networks\Network Magic\nmspce2.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
Completion time: 2009-11-04 0:20
ComboFix-quarantined-files.txt 2009-11-04 05:20
ComboFix2.txt 2009-11-03 19:32

Pre-Run: 231,302,664,192 bytes free
Post-Run: 231,264,497,664 bytes free




















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:39 PM, on 11/3/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\hkcmd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\PROGRA~1\NYKO\GAMEPA~1\ngpmap.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5620
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8680 bytes




Note, a warning message came up when I ran HijackThis saying that for some reason my system denied access to the host file. It said more, but i was unable to copy it.

Thanks

The warning for host file is ok.

Can you go to C:\qoobox and locate all text files for combofix and post them here as it appears from the log that it has been run more than once.

Are the re-directs still occurring?

This was saved as "Add Remove Programs"



Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.7
Adobe Shockwave Player 11.5
Agere Systems PCI-SV92PP Soft Modem
AIM 6
AIM Toolbar 5.0
Apple Mobile Device Support
Apple Software Update
Bejeweled 2 Deluxe
BitTorrent
BlackBerry Desktop Software 4.3
BlackBerry Device Software Updater
Blackhawk Striker 2
Bonjour
Browser Address Error Redirector
CCleaner
Comcast High-Speed Internet Install Wizard
Digital Media Reader
Diner Dash
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
EPSON Printer Software
EPSON Scan
Family Feud 2
FATE
FrostWire 4.18.1
Garmin City Navigator North America NT 2009 Update
Garmin Communicator Plugin
Garmin USB Drivers
Garmin WebUpdater
Gateway Connect
Gateway Game Console
Gateway Recovery Center Installer
Glary Utilities 2.12.0.658
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) SE Runtime Environment 6 Update 1
JETFIGHTER 2015
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Combat Flight Simulator 3.1
Microsoft Flight Simulator X
Microsoft Flight Simulator X Service Pack 1
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
MobileMe Control Panel
Mozilla Firefox (3.0.15)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Network Magic
Norton Security Scan
Norton Security Scan (Symantec Corporation)
NYKO Gamepad Mapping Tools 2.0.0
OGA Notifier 2.0.0048.0
Penguins!
Polar Bowler
Polar Golfer
Power2Go 5.0
Pure Networks Platform
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody Player Engine
Roxio Media Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Spare Backup
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VZAccess Manager for RIM
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinRAR archiver






This was saved as quarantined files

2009-11-04 05:12:29 . 2009-11-04 05:12:29 14,428 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-04 04:59:37 . 2009-11-04 05:02:25 62 ----a-w- C:\Qoobox\Quarantine\catchme.log





This was saved as Combofix2.


ComboFix 09-11-03.01 - Joe 11/03/2009 14:15.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.641 [GMT -5:00]
Running from: c:\users\Joe\Desktop\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2586906720-2871239593-3476299853-500
c:\$recycle.bin\S-1-5-21-3352549485-4007945283-2351025167-500
c:\program files\Helper
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-03 19:28 . 2009-11-03 19:28 -------- d-----w- c:\users\Sarah\AppData\Local\temp
2009-11-03 19:28 . 2009-11-03 19:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-03 17:07 . 2009-11-03 17:07 -------- d-----w- c:\program files\Alwil Software
2009-11-03 16:46 . 2009-11-03 16:46 -------- d-----w- c:\program files\CCleaner
2009-11-02 22:26 . 2009-11-02 22:20 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-02 22:20 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-02 22:16 . 2009-11-02 22:16 -------- d-----w- c:\program files\Lavasoft
2009-10-30 21:49 . 2009-10-30 21:49 -------- d-----w- c:\users\Joe\AppData\Roaming\GetRightToGo
2009-10-30 11:57 . 2009-10-30 11:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-30 11:57 . 2009-10-30 11:57 -------- d-----w- c:\users\Joe\AppData\Roaming\SUPERAntiSpyware.com
2009-10-30 11:56 . 2009-10-30 11:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-30 11:51 . 2009-10-30 21:16 -------- d-----w- c:\program files\SpywareBlaster
2009-10-29 04:08 . 2009-10-29 04:08 -------- d-----w- c:\users\Joe\AppData\Roaming\Malwarebytes
2009-10-29 04:08 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 04:08 . 2009-10-29 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 04:08 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 03:58 . 2009-10-29 03:58 1152 ----a-w- c:\windows\system32\windrv.sys
2009-10-29 01:41 . 2009-10-29 01:41 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 07:40 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 07:40 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-22 21:13 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-22 21:13 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-22 21:13 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-22 21:12 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-22 21:12 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-22 21:11 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 18:39 . 2007-12-08 02:15 -------- d-----w- c:\users\Joe\AppData\Roaming\Spare Backup
2009-10-30 22:43 . 2008-12-10 20:58 -------- d-----w- c:\program files\Norton Security Scan
2009-10-25 23:48 . 2008-03-12 00:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-22 21:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-22 21:20 . 2007-09-24 19:37 -------- d-----w- c:\program files\Microsoft Works
2009-10-01 14:29 . 2009-10-03 03:34 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-24 14:52 . 2009-02-01 04:58 -------- d-----w- c:\users\Sarah\AppData\Roaming\LimeWire
2009-09-24 14:51 . 2007-12-11 00:21 87096 ----a-w- c:\users\Sarah\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-24 12:09 . 2009-09-22 21:31 -------- d-----w- c:\users\Joe\AppData\Roaming\BitTorrent
2009-09-22 21:30 . 2009-09-22 21:30 -------- d-----w- c:\program files\BitTorrent
2009-09-22 21:30 . 2009-02-10 04:25 -------- d-----w- c:\users\Joe\AppData\Roaming\FrostWire
2009-09-13 17:11 . 2009-04-01 01:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 00:27 . 2009-09-02 23:08 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:08 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-22 21:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:22 . 2009-08-27 05:22 10240 ----a-w- c:\windows\system32\ctfmon_gz.exe
2009-08-27 05:17 . 2009-10-22 21:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-22 21:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-22 21:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-10 02:47 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 02:47 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 02:47 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 02:47 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 02:47 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 02:47 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 02:47 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 02:47 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 02:47 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 02:47 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 02:47 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-07 02:24 . 2009-10-03 03:30 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-10-03 03:30 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-10-03 03:30 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:23 . 2009-10-03 03:30 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-10-03 03:30 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 01:45 . 2009-10-03 03:30 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-08-07 01:44 . 2009-10-03 03:30 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-08-06 23:23 . 2009-10-03 03:29 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-06 22:44 . 2009-10-03 03:29 33792 ----a-w- c:\windows\system32\wuapp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Spare Backup"="c:\program files\Spare Backup\SpareBackup.exe" [2007-07-13 5252936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-04-23 4435968]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-04-13 1822720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-04 40072]

c:\users\Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-1-29 139776]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):01,67,b4,30,a7,0c,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3352549485-4007945283-2351025167-1000]
"EnableNotificationsRef"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [11/2/2009 5:20 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 2:00 AM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\System32\drivers\WUSB54GCx86.sys [3/12/2007 9:12 AM 256000]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]
S3 rt70x86;Belkin Wireless G USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr70.sys [10/9/2007 4:43 AM 291840]
S3 SaiH0461;SaiH0461;c:\windows\System32\drivers\SaiH0461.sys [4/22/2008 2:35 PM 182528]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMONFLT
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:18]

2009-11-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-04-01 13:49]

2009-10-30 c:\windows\Tasks\Norton Security Scan for Joe.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 09:18]

2009-11-03 c:\windows\Tasks\User_Feed_Synchronization-{A23FE189-B393-4C77-8143-5C64C5F68574}.job
- c:\windows\system32\msfeedssync.exe [2009-10-22 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5620
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\yjo4uugf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\yjo4uugf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 14:29
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8673EE07]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-03 14:32
ComboFix-quarantined-files.txt 2009-11-03 19:32

Pre-Run: 230,861,185,024 bytes free
Post-Run: 231,235,612,672 bytes free





This was saved as catchme.


-------- 2009-11-03 - 23:59:37 -------------

error: 31





And it is still redirecting.

Any reason it ran twice?

Download the HostsXpert.
Run it and press "Restore M$ Hosts File" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

Reboot and see if it still re-directs.