0

I have similar problem where I keep getting redirected to other pages but not from every page and not all the time. It seems to be happening when Java applets are loaded, like when I'm playing chess at www.flyordie.com, and it's horrible because I would be in the middle of a chess game and get redirected to some random page and loose the game cause the server registers it as leaving page. My chess score has dropped greatly because of lost games like these. Oh and I have the latest version of Java installed with updates straight from Java.com. I have popup blocker turned on in IE (running Vista) and while I am in the middle of game something is trying to popup because the popup bar at top of IE window is blinking and blocking it but eventually this things breaks through and get redirected to some shitty add that i can't close cause it keeps reopening itself and have to use Task Manager to kill the process. I don't understand how can this be happening?
I have full scanned my comp with following and all came clean:
- MalwareByte's Malware
- Microsoft Malware Remover
- SuperAntiSpyware Remover
- Lavasoft's Ad-Aware
- I'm running McAfee antiVirus, Microsoft Defender and Firewall
I was also running PC Tools ThreatFire HIPS and Ad-Aware but they didn't help.
Can someone PLEASE help me?

3
Contributors
17
Replies
18
Views
8 Years
Discussion Span
Last Post by techsheaven
0

We can make no judgments or recommendations without seeing some logs.
Post the MBA-M log, even though it showed clean. Also download and run HiJackThis and save the log and post it here along with the MBA-M log.

0

Malwarebytes' Anti-Malware 1.34
Database version: 1827
Windows 6.0.6001 Service Pack 1

3/8/2009 2:14:58 PM
mbam-log-2009-03-08 (14-14-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 210355
Time elapsed: 57 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:40 PM, on 3/8/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\SafeBoot\SbTokWatch.exe
C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\SafeBoot\SbTokWatch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\NOVELL\GROUPWISE\grpwise.exe
C:\NOVELL\GROUPWISE\GWSync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Users\jzelenak\Downloads\AntiSpyware\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SafeBootTrayManager] "C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe"
O4 - HKLM\..\Run: [SafeBootTokenWatcher] "C:\Program Files\SafeBoot\SbTokWatch.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SafeBootTokWatch] "C:\Program Files\SafeBoot\SbTokWatch.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Tablet PC 2.0; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.adobe.com/shockwave/welcome/"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'Default user')
O4 - .DEFAULT User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://vpn.kumc.edu/CACHE/stc/1/binaries/vpnweb.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231028408554&h=93127d41c5e5040bc88e3368fb18a8c3/&filename=jinstall-6u11-windows-i586-jc.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
O23 - Service: SafeBoot Client Manager (SafeBootClientManager) - SafeBoot International - C:\Program Files\SafeBoot\SbClientManager.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9602 bytes

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:40 PM, on 3/8/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\SafeBoot\SbTokWatch.exe
C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\SafeBoot\SbTokWatch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\NOVELL\GROUPWISE\grpwise.exe
C:\NOVELL\GROUPWISE\GWSync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Users\jzelenak\Downloads\AntiSpyware\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SafeBootTrayManager] "C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe"
O4 - HKLM\..\Run: [SafeBootTokenWatcher] "C:\Program Files\SafeBoot\SbTokWatch.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SafeBootTokWatch] "C:\Program Files\SafeBoot\SbTokWatch.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Tablet PC 2.0; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.adobe.com/shockwave/welcome/"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'Default user')
O4 - .DEFAULT User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://vpn.kumc.edu/CACHE/stc/1/binaries/vpnweb.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231028408554&h=93127d41c5e5040bc88e3368fb18a8c3/&filename=jinstall-6u11-windows-i586-jc.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\System32\rpcnet.exe
O23 - Service: SafeBoot Client Manager (SafeBootClientManager) - SafeBoot International - C:\Program Files\SafeBoot\SbClientManager.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9602 bytes

0

Oops, sorry for double post of HijackThis log, I was trying to remove wordwrap...

0

Don't worry about the double post. I see nothing in your log really. Since the only page you see to be getting redirected FROM, is it possible that you are accidentally hitting a link on the page which would take you to another? I have had that happen myself from time to time. What pages are you being re-directed to?

0

No it's not possible that I accidentally hit something. I have been playing chess for few months now and it did not use to happen. It started to happen about 3 weeks ago and its been happening regularly. Also this redirect issue happens from other pages too, like when I'm watching video (not even touching the mouse or keyboard) and still get redirected. Like I said something is trying to break through the IE popup blocker cause it's blinking (I have it set to Medium) and eventually it does break through and redirects me to a page that's popup webpage simulating virus scan titled 'VirusDoctor' simulates scanning and tells me I've been infected, but its obviously a hoax/phishing cause it's just a popup add. There is something on my computer that lets it go through the popup blocker, I just don't know where or how.

0

eventually it does break through and redirects me to a page that's popup webpage simulating virus scan titled 'VirusDoctor' simulates scanning and tells me I've been infected, but its obviously a hoax/phishing cause it's just a popup add. There is something on my computer that lets it go through the popup blocker, I just don't know where or how.

Wish you had given this information in your first post. This is a fairly new Rogue Spyware Removal application that obviously is installed on your computer.
Update Malwarebytes' Anti-Malware. Don't run it yet.
Once the update is complete. Shut down the computer. Physically disconnect from the internet, I mean actually remove the cable from the computer so there is no chance of going online.
Reboot the computer. One the computer is fully booted, right click on the Task Bar and choose Task Manager.
Look through the running processes list and if you see the following, Please End the Processes:
taskeng.exe
Close ALL Unnecessary Programs, all browsers, Windows Media Player, email programs, etc.
Then go to Add/Remove and look for
Virus Doctor (2.1.4.12)
If you find it, UNINSTALL IT.
Do a File Search on the computer and search for Virus Doctor. Have the search also look in hidden files and folders.
If any are found, remove them.
Next
Run a Full System Scan with MBA-M and when the scan completes REMOVE EVERYTHING FOUND. Save the log and reboot the system.
Then shut down again.
Re-attach the Internet Cable to the computer. Reboot and come back here with the MBA-M log and the results of your search.

0

Thank you jholland1964 for your reply. I was running the latest version of MBA-M as you can see from my previous post, I did update right before I clicked full-scan. I do not have Virus Doctor entry under Add/Remove programs and Search came up with nothing. So I do not think that I have 'Virus Doctor' installed on my computer. Also don't you think 'Virus Doctor' would have shown up on the HijackThis log? Somewhere on the internet I read that the popups can be launched from a trojan hiding on the machine - do you think this might be where its coming from?

0

If the pop ups and redirects are there then chance of you having it on the computer are pretty good. You won't necessarily see it in Add/Remove.
Your logs show clean, both of them but that doesn't mean it isn't there.
check the Task Manager for ANY or ALL of the following processes:
VirusDoctor.exe
VDocf360.exe
unins000.exe
VDo[RANDOM].exe - the RANDOM means then name can be anything at all.
I noticed in your HJT log that taskeng.exe was running, this is a scheduled task. Check in your Task Scheduler for unusually named scheduled tasks

0

I looked in task manager and saw no processes by those names. Then I checked Task Scheduler and found 4 suspicious tasks whose name is a GUID. I'm not sure what they are for?

Here is the name and action of the tasks:
Name: {56B404BE-4B0C-4965-90E3-4F0FE52D093A}
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\jzelenak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JF6T2N5G\sp40702[1].exe" -d C:\Users\jzelenak</Arguments>

Name: {BD8D371B-A791-4AB7-853B-784FC7146413}
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\jzelenak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I51H596T\sp37093[1].exe" -d C:\Users\jzelenak</Arguments>

Name {DC17124A-5505-4BFB-8D4F-D439D397C35A}
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\jzelenak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6VF6RG9R\sp39689[1].exe" -d C:\Users\jzelenak</Arguments>

Name: {F9E2DDA7-832A-4D05-8DEC-51D66FB64A4A}
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a C:\Users\jzelenak\Downloads\med\Install_Netter.exe -d C:\Users\jzelenak\Downloads\med</Arguments>

Can you please tell me what these tasks are for and should I delete them?

0

All list <Command>C:\Windows\system32\pcalua.exe</Command>
usually this refers to the Program Compatibility Assistant
The first three listed may be:
sp37093.exe Broadcom driver
sp39689.exe Fax Modem
sp40702.exe possibly an HP NIC drive.
Did you download and install some new drivers from someplace other than the manufacturer's websites? All references also are pointing to temporary internet files..
The last one which is however listed in Downloads\med...meaning medical? Did you install some medical reference material? Possibly via P2P file sharing?

0

I have HP laptop and I was installing drivers from their website and the med one was from a friend through network but it failed to install(don't know why, maybe corrupt file?), so I wonder can I delete all 4 of them?

0

Oh and what does Program Compatibility Assistant do?

From WindowsHelp Microsoft

The Program Compatibility Assistant detects known compatibility issues in older programs. After you have run an older program in this version of Windows, it notifies you if there is a problem and offers to fix it the next time you run the program. If the compatibility issue is serious, the Program Compatibility Assistant might warn you or block the program from running. If that happens, you'll have the option to check online for possible solutions.....The Program Compatibility Assistant runs automatically when it detects an older program that has a compatibility problem.

The link above gives other information so you can check all that on that site. Sounds to me though that these drivers you were installing were older drivers than Vista normally requires.

Here is also the Vista Compatibility Center

0

There have been several versions of malware going around that can cause this. Malwarebytes takes care of most of them. Some alter the hosts file at windows\system32\drivers\etc. Right-click, select open, from the list of programs select notepad. If there are a lot of IP addresses followed by websites, this may be your problem. Just delete the entries, or rename the file.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.