Google hijacked

Duskzero · Joined: May 22, 2009 Posts: 8

It looks like I have been hit with this problem and I am not sure exactly how to fix it. I ran Malwarebytes and that is when I noticed the problem, so I looked through the forum here and already ran Gooredfix and Combofix here are the logs.

Gooredfix:

GooredFix v1.92 by jpshortstuff
Log created at 10:09 on 22/05/2009 running Option #1 (Dan)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Duskzero · Joined: May 22, 2009 Posts: 8

ComboFix 09-05-21.03 - Dan 05/22/2009 10:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2935 [GMT -4:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-21 19:29 . 2009-05-21 19:30 -------- d-----w c:\windows\system32\NtmsData
2009-05-21 15:37 . 2009-05-21 15:37 -------- d-----w c:\documents and settings\Dan\Application Data\Malwarebytes
2009-05-21 15:37 . 2009-05-21 15:37 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 14:12 . 2009-05-19 14:12 -------- d-----w c:\documents and settings\Dan\Local Settings\Application Data\Yahoo
2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w c:\documents and settings\Dan\Application Data\Yahoo!
2009-05-19 14:11 . 2009-05-19 14:12 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-19 14:11 . 2009-05-19 22:15 -------- d-----w c:\program files\Yahoo!
2009-05-11 18:31 . 2009-05-11 18:31 -------- d-----w c:\windows\Sun
2009-05-11 18:28 . 2009-05-11 18:28 -------- d-----w c:\program files\Java
2009-05-11 18:28 . 2009-05-11 18:28 152576 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-02 18:57 . 2009-05-02 18:57 -------- d-----w c:\program files\iPod
2009-05-02 18:57 . 2009-05-02 18:57 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-02 18:53 . 2009-05-02 18:53 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 14:25 . 2008-07-18 16:22 -------- d-----w c:\documents and settings\Dan\Application Data\DNA
2009-05-21 19:33 . 2008-07-18 16:22 -------- d-----w c:\program files\DNA
2009-05-20 21:49 . 2008-07-18 16:22 -------- d-----w c:\documents and settings\Dan\Application Data\BitTorrent
2009-05-11 18:29 . 2009-05-11 18:29 57344 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-4fa0eb55-n\Decora-SSE.dll
2009-05-11 18:29 . 2009-05-11 18:29 24064 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-7dfda0ee-n\Decora-D3D.dll
2009-05-11 18:29 . 2009-05-11 18:29 315392 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e9643fa-n\jogl.dll
2009-05-11 18:29 . 2009-05-11 18:29 20480 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e9643fa-n\jogl_awt.dll
2009-05-11 18:29 . 2009-05-11 18:29 114688 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e9643fa-n\jogl_cg.dll
2009-05-11 18:29 . 2009-05-11 18:29 20480 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-14b876fd-n\gluegen-rt.dll
2009-05-11 18:29 . 2009-05-11 18:29 499712 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6e4f9364-n\msvcp71.dll
2009-05-11 18:29 . 2009-05-11 18:29 499712 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6e4f9364-n\jmc.dll
2009-05-11 18:29 . 2009-05-11 18:29 348160 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6e4f9364-n\msvcr71.dll
2009-05-11 18:28 . 2009-05-11 18:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 18:57 . 2008-07-18 16:42 -------- d-----w c:\program files\iTunes
2009-05-02 18:57 . 2008-07-18 16:41 -------- d-----w c:\program files\Common Files\Apple
2009-04-05 18:45 . 2008-07-18 18:33 67480 ----a-w c:\documents and settings\Norma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-27 20:23 . 2008-07-30 05:32 67480 ----a-w c:\documents and settings\The Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 14:17 . 2009-03-26 14:16 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-26 14:15 . 2008-07-18 16:42 -------- d-----w c:\program files\QuickTime
2009-03-26 14:10 . 2008-08-05 20:36 -------- d-----w c:\program files\Safari
2009-03-25 13:40 . 2008-07-19 15:47 67480 ----a-w c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-26 14:14 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-07-18 16:42 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 212992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]

c:\documents and settings\The Joe\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-05-18 c:\windows\Tasks\HP DArC Task 2003-06-26 13:16ewlett-Packard2003-06-26 13:16p psc 1300 seriesA3652443A372B157BFD83129692C2C2475483DE7216396623.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-06-26 22:50]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\bseg0g0p.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 10:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(504)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-05-22 10:28
ComboFix-quarantined-files.txt 2009-05-22 14:28

Pre-Run: 213,218,734,080 bytes free
Post-Run: 221,484,720,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

140 --- E O F --- 2009-05-13 07:01

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Welcome to Lockergnome.

I don't see much malware activity here except for a possible USB drive infection. You might want to plug in your USB drive (it's the I: drive) and run the following tool:

Download the Flash Disinfector at http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

Are you still getting redirected now? If so, does it matter what browser you are using when this happens?

Download HijackThis at http://www.greyknight17.com/spy/HijackThis.exe Create a folder at C:\HJT and move HijackThis.exe there. Double-click on the program to run it.

1. If it gives you an intro screen, just choose Do a system scan and save a logfile.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

Duskzero · Joined: May 22, 2009 Posts: 8

Ok I tried all the suggestions but didn't come up with anything so here's the hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:53 AM, on 5/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-21-823518204-1060284298-1177238915-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'The Joe')
O4 - HKUS\S-1-5-21-823518204-1060284298-1177238915-1008\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'The Joe')
O4 - S-1-5-21-823518204-1060284298-1177238915-1008 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'The Joe')
O4 - S-1-5-21-823518204-1060284298-1177238915-1008 User Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'The Joe')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6620 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Problem still there?

Where is the Panda and ComboFix logs?

Duskzero · Joined: May 22, 2009 Posts: 8

Here's the pandascan

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-05-25 22:38:29
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 12
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Dan\Cookies\dan@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Dan\Cookies\dan@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Dan\Cookies\dan@247realmedia[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Dan\Cookies\dan@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Dan\Cookies\dan@statse.webtrendslive[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Dan\Cookies\dan@atwola[2].txt
00366244 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018408.exe[C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018408.exe][nircmd.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Documents and Settings\Dan\Desktop\ComboFix.exe[32788R22FWJFW\n.com]
No C:\Documents and Settings\Dan\Desktop\ComboFix.exe[32788R22FWJFW\NirCmd.cfexe]
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP301\A0018157.com
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP301\A0018159.com
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018209.exe[32788R22FWJFW\NirCmd.cfexe]
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018209.exe[32788R22FWJFW\n.com]
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018251.com
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018253.com
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018276.exe
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018329.com
No C:\System Volume Information\_restore{F80E593B-3AB8-41F9-BE0A-A9D15535F642}\RP304\A0018331.com
No C:\WINDOWS\NIRCMD.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Duskzero · Joined: May 22, 2009 Posts: 8

and here is the combofix, also it doesn't matter which browser I use google on it still redirects, thanks for the help.

ComboFix 09-05-25.05 - Dan 05/25/2009 19:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2762 [GMT -4:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-24 17:35 . 2009-05-24 17:35 -------- d-s---w c:\documents and settings\Dan\UserData
2009-05-23 14:14 . 2009-05-23 14:15 -------- d-----w C:\HJT
2009-05-22 17:30 . 2009-05-22 17:30 57344 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-443b3b81-n\Decora-SSE.dll
2009-05-22 17:30 . 2009-05-22 17:30 24064 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-21031bf6-n\Decora-D3D.dll
2009-05-22 17:30 . 2009-05-22 17:30 315392 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-734a3671-n\jogl.dll
2009-05-22 17:30 . 2009-05-22 17:30 20480 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-734a3671-n\jogl_awt.dll
2009-05-22 17:30 . 2009-05-22 17:30 114688 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-734a3671-n\jogl_cg.dll
2009-05-22 17:30 . 2009-05-22 17:30 499712 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4525602c-n\msvcp71.dll
2009-05-22 17:30 . 2009-05-22 17:30 499712 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4525602c-n\jmc.dll
2009-05-22 17:30 . 2009-05-22 17:30 348160 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-4525602c-n\msvcr71.dll
2009-05-22 17:30 . 2009-05-22 17:30 20480 ----a-w c:\documents and settings\The Joe\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-4c7068c7-n\gluegen-rt.dll
2009-05-21 19:29 . 2009-05-21 19:30 -------- d-----w c:\windows\system32\NtmsData
2009-05-21 15:37 . 2009-05-21 15:37 -------- d-----w c:\documents and settings\Dan\Application Data\Malwarebytes
2009-05-21 15:37 . 2009-05-21 15:37 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 14:12 . 2009-05-19 14:12 -------- d-----w c:\documents and settings\Dan\Local Settings\Application Data\Yahoo
2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w c:\documents and settings\Dan\Application Data\Yahoo!
2009-05-19 14:11 . 2009-05-19 14:12 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-19 14:11 . 2009-05-19 22:15 -------- d-----w c:\program files\Yahoo!
2009-05-11 18:31 . 2009-05-11 18:31 -------- d-----w c:\windows\Sun
2009-05-11 18:28 . 2009-05-11 18:28 -------- d-----w c:\program files\Java
2009-05-11 18:28 . 2009-05-11 18:28 152576 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-02 18:57 . 2009-05-02 18:57 -------- d-----w c:\program files\iPod
2009-05-02 18:57 . 2009-05-02 18:57 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-02 18:53 . 2009-05-02 18:53 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 23:23 . 2008-07-18 16:22 -------- d-----w c:\documents and settings\Dan\Application Data\DNA
2009-05-21 19:33 . 2008-07-18 16:22 -------- d-----w c:\program files\DNA
2009-05-20 21:49 . 2008-07-18 16:22 -------- d-----w c:\documents and settings\Dan\Application Data\BitTorrent
2009-05-11 18:29 . 2009-05-11 18:29 57344 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-4fa0eb55-n\Decora-SSE.dll
2009-05-11 18:29 . 2009-05-11 18:29 24064 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-7dfda0ee-n\Decora-D3D.dll
2009-05-11 18:29 . 2009-05-11 18:29 315392 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e9643fa-n\jogl.dll
2009-05-11 18:29 . 2009-05-11 18:29 20480 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e9643fa-n\jogl_awt.dll
2009-05-11 18:29 . 2009-05-11 18:29 114688 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-2e9643fa-n\jogl_cg.dll
2009-05-11 18:29 . 2009-05-11 18:29 20480 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-14b876fd-n\gluegen-rt.dll
2009-05-11 18:29 . 2009-05-11 18:29 499712 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6e4f9364-n\msvcp71.dll
2009-05-11 18:29 . 2009-05-11 18:29 499712 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6e4f9364-n\jmc.dll
2009-05-11 18:29 . 2009-05-11 18:29 348160 ----a-w c:\documents and settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-6e4f9364-n\msvcr71.dll
2009-05-11 18:28 . 2009-05-11 18:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 18:57 . 2008-07-18 16:42 -------- d-----w c:\program files\iTunes
2009-05-02 18:57 . 2008-07-18 16:41 -------- d-----w c:\program files\Common Files\Apple
2009-04-05 18:45 . 2008-07-18 18:33 67480 ----a-w c:\documents and settings\Norma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-27 20:23 . 2008-07-30 05:32 67480 ----a-w c:\documents and settings\The Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 13:40 . 2008-07-19 15:47 67480 ----a-w c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-26 14:14 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-07-18 16:42 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 212992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-10 16861184]

c:\documents and settings\The Joe\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-05-18 c:\windows\Tasks\HP DArC Task 2003-06-26 13:16ewlett-Packard2003-06-26 13:16p psc 1300 seriesA3652443A372B157BFD83129692C2C2475483DE7216396623.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-06-26 22:50]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\bseg0g0p.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'winlogon.exe'(504)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-05-25 19:32
ComboFix-quarantined-files.txt 2009-05-25 23:32
ComboFix2.txt 2009-05-22 14:28

Pre-Run: 221,286,473,728 bytes free
Post-Run: 221,448,531,968 bytes free

138 --- E O F --- 2009-05-13 07:01

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Do you have more than one computer at home? If so, are they affected as well?

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.

Run Malwarebytes' again and check it for any updates. Run a full scan and post the log here. Did it find anything earlier?

Duskzero · Joined: May 22, 2009 Posts: 8

Ok Google seems to be working now, no redirects but here is the log from Malwarebytes. Only problem now is that I can't log into youtube because it routes through google so I don't know if something is still wrong or not. Thanks for the help with this, I really appreciate it.

Malwarebytes' Anti-Malware 1.37
Database version: 2192
Windows 5.1.2600 Service Pack 3

5/29/2009 11:25:31 AM
mbam-log-2009-05-29 (11-25-1 Cool

.txt

Scan type: Full Scan (C:\|I:\|)
Objects scanned: 192846
Time elapsed: 52 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Do you get redirected? Look at the bottom status bar to see where YouTube is taking you when you try to login.

Duskzero · Joined: May 22, 2009 Posts: 8

It says it can't connect to the server at www.google.com, plus google is still redirecting me when I click on a link. Any help is appreciated.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

So it was working fine before (your second to last post) and now Google is redirecting again? Do you have more than one computer at home? If so, is it affecting them as well? If so, do the below:

[*] Launch Malwarebytes' Anti-Malware, then click Finish.
[*]Once the program has loaded, select "Perform Quick Scan", then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.

===============================================

Please post the Malwarebytes log and let me know how things are running now.

Duskzero · Joined: May 22, 2009 Posts: 8

Well things seem to be running okay and hopefully will be for the foreseeable future. The only problem is still logging on to youtube, now it's telling me that a secure connection failed.

This is the error code it gave: (Error code: sec_error_ca_cert_invalid)

But it does give me the option of adding an exception, which I'm not sure I want to do. Any advice on this would be appreciated.

Here is the mbam log.

Malwarebytes' Anti-Malware 1.37
Database version: 2222
Windows 5.1.2600 Service Pack 3

6/3/2009 11:20:39 AM
mbam-log-2009-06-03 (11-20-39).txt

Scan type: Quick Scan
Objects scanned: 99474
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Again thank you for all your help

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Unfortunately, this is a Firefox issue. I think starting with Firefox 3, it became more strict. You will need to add YouTube to the permanent list of exceptions so it won't bother you again.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.