Lost access to router

[ronymaxwell]

I can usually access details and settings for my Netgear router by entering the IP address.  When I try it now, I get a heading 'Settings' but otherwise a blank page.  I've also found that a mysterious extra subscription to my McAfee security software has been taken out; I know nothing of it.  It appears to be registered to an IP address similar to my router, but ending .0.2 instead of .0.1 which I cannot access.  Have I got a problem here?

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

The first thing I will need you to do is to go to this link and follow the directions precisely. If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. If you can't run any step, just jump to the next one. Please let me know how you are doing or have any questions. Initially, I will need the SuperAntiSpyware, MBAM and HJT logs. Please post any logs that you can generate.

[ronymaxwell]

Sorry I've been so long - work commitments kept me busy.  I've now started following your instructions and will post when its done.

[ronymaxwell]

I used ccleaner as instructed.  Now the rersulting log of SUPERantispyware.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/17/2010 at 07:28 PM

Application Version : 4.43.1000

Core Rules Database Version : 5523
Trace Rules Database Version: 3335

Scan type       : Complete Scan
Total Scan Time : 08:37:21

Memory items scanned      : 607
Memory threats detected   : 0
Registry items scanned    : 9182
Registry threats detected : 0
File items scanned        : 734460
File threats detected     : 11

Adware.Tracking Cookie
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\[email protected][1].txt
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\ronald_maxwell@imrworldwide[2].txt
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\[email protected][2].txt
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\[email protected][1].txt
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\[email protected][2].txt
   C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt

Browser Hijacker.Favorites
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC32.URL
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC33.URL
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC34.URL
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC35.URL
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC36.URL
I will continue the next stage tomorrow.

[ronymaxwell]

result of MBAM
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4640

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

17/09/2010 23:03:50
mbam-log-2010-09-17 (23-03-50).txt

Scan type: Quick scan
Objects scanned: 141834
Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[ronymaxwell]

Congratulations!
You have the recommended Java installed (Version 6 Update 21).

[ronymaxwell]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:20:54, on 17/09/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\aol\1247602731\ee\aolsoftware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voover.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AppRanger IE Sandbox - {1ec7abb1-e555-404b-901c-6d24af4ce44d} - C:\Program Files\AppRanger\TSBoxIE.dll (file missing)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: MFS BHO - {3CD63CF3-CE57-44FC-92A1-96E928676C37} - C:\Program Files\MyFaveShop\MyFaveShop Toolbar\ToolBar.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: MFS Toolbar - {FEE0CAF5-403B-480D-B7DF-71EE63E4F166} - C:\Program Files\MyFaveShop\MyFaveShop Toolbar\ToolBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1247602731\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AppRanger Service (apprngr_svc) - Unknown owner - C:\Program Files\AppRanger\SWSvc.exe (file missing)
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10659 bytes

[ronymaxwell]

Should I use the HJT process tool?

The HJT log suggests I have no active firewall, yet my McAfee security centre shows the firewall as working.

[SuperDave]

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: AppRanger IE Sandbox - {1ec7abb1-e555-404b-901c-6d24af4ce44d} - C:\Program Files\AppRanger\TSBoxIE.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.
O15 - Trusted Zone: http://*.mcafee.com

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
************************************

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix
*******************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[ronymaxwell]

System scan completed.
ComboFix log:-
ComboFix 10-09-17.04 - Ron 19/09/2010  21:39:32.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3069.1931 [GMT 1:00]
Running from: c:\users\Ron\Desktop\commy.exe
Command switches used :: /stepdel
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((   Files Created from 2010-08-19 to 2010-09-19  )))))))))))))))))))))))))))))))
.

2010-09-19 20:49 . 2010-09-19 20:49   --------   d-----w-   c:\users\Ron\AppData\Local\temp
2010-09-19 20:49 . 2010-09-19 20:49   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-09-19 20:49 . 2010-09-19 20:49   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\users\Ron\AppData\Roaming\Malwarebytes
2010-09-17 21:53 . 2010-04-29 14:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\programdata\Malwarebytes
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-17 21:53 . 2010-04-29 14:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-17 09:43 . 2010-09-17 09:43   --------   d-----w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 09:43   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 21:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\users\Ron\AppData\Roaming\Yahoo!
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\programdata\Yahoo! Companion
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\program files\Yahoo!
2010-09-17 09:29 . 2010-09-17 09:30   --------   d-----w-   c:\program files\CCleaner
2010-09-17 07:47 . 2010-04-16 16:46   502272   ----a-w-   c:\windows\system32\usp10.dll
2010-09-17 07:47 . 2010-08-17 14:11   128000   ----a-w-   c:\windows\system32\spoolsv.exe
2010-09-17 07:47 . 2010-04-05 17:02   317952   ----a-w-   c:\windows\system32\MP4SDECD.DLL
2010-09-17 07:47 . 2010-05-27 20:08   739328   ----a-w-   c:\windows\system32\inetcomm.dll
2010-09-09 21:00 . 2010-09-09 21:00   --------   d-sh--w-   c:\windows\system32\%APPDATA%
2010-09-06 11:17 . 2010-09-06 11:17   --------   d-----w-   c:\program files\Common Files\Java
2010-09-04 09:48 . 2010-09-04 09:48   --------   d-----w-   c:\program files\iPod
2010-09-04 09:48 . 2010-09-04 09:49   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-04 09:48 . 2010-09-04 09:49   --------   d-----w-   c:\program files\iTunes
2010-09-04 09:46 . 2010-09-04 09:46   --------   d-----w-   c:\program files\QuickTime
2010-09-04 09:42 . 2010-09-04 09:42   --------   d-----w-   c:\program files\Bonjour
2010-08-27 14:15 . 2010-08-27 14:15   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-08-27 14:11 . 2010-06-01 17:37   221568   ------w-   c:\windows\system32\MpSigStub.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 20:18 . 2010-06-24 06:29   34709   ----a-w-   c:\programdata\nvModes.dat
2010-09-18 08:50 . 2009-07-15 13:51   12   ----a-w-   c:\windows\bthservsdp.dat
2010-09-17 22:32 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-09-17 22:15 . 2010-09-17 22:15   388096   ----a-r-   c:\users\Ron\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-17 21:42 . 2010-09-17 09:43   63488   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 21:42 . 2010-09-17 09:43   117760   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 09:43 . 2010-09-17 09:43   52224   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-13 09:42 . 2009-05-17 18:30   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-09-09 19:36 . 2009-11-06 11:28   1   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-06 11:17 . 2009-07-06 10:58   --------   d-----w-   c:\program files\Java
2010-09-06 11:16 . 2010-09-06 11:14   10787840   ----a-w-   c:\users\Ron\AppData\Roaming\Adobe\Acrobat\7.0\Updater\AcroProUpd710_all_cum.exe
2010-09-04 09:48 . 2009-11-13 18:45   --------   d-----w-   c:\program files\Common Files\Apple
2010-09-04 09:39 . 2010-09-04 09:39   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-14 21:06 . 2009-07-19 15:39   300384   ----a-w-   c:\users\Ron\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-08-13 14:06 . 2010-08-13 06:10   --------   d-----w-   c:\program files\Common Files\ParetoLogic
2010-08-13 12:16 . 2009-05-03 04:20   176200   ----a-w-   c:\users\Ron\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-13 06:33 . 2010-08-13 06:33   --------   d-----w-   c:\users\Ron\AppData\Roaming\AdobeUM
2010-08-13 06:33 . 2010-08-13 06:33   --------   d-----w-   c:\program files\Common Files\Java(0)
2010-08-13 06:30 . 2009-05-05 21:40   --------   d-----w-   c:\program files\Common Files\Adobe
2010-08-13 06:17 . 2009-05-05 21:42   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-13 06:17 . 2009-09-27 21:39   38784   ----a-w-   c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-13 06:17 . 2009-09-27 20:41   38784   ----a-w-   c:\users\Ron\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-13 06:10 . 2010-08-13 06:10   --------   d-----w-   c:\programdata\FileCure
2010-08-08 18:48 . 2010-08-08 18:48   568832   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-08 18:48 . 2010-08-08 18:48   686080   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-08 18:48 . 2010-08-08 18:48   655872   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-08 18:48 . 2010-08-08 18:48   583168   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-08 18:48 . 2010-08-08 18:48   224768   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcm90.dll
2010-08-08 18:42 . 2009-11-06 11:24   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-07-27 17:44 . 2010-07-27 17:44   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44   75040   ----a-w-   c:\windows\system32\jdns_sd.dll
2010-07-27 17:44 . 2010-07-27 17:44   197920   ----a-w-   c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-07-17 04:00 . 2010-05-17 12:09   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-06-26 06:05 . 2010-08-11 12:06   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-11 12:06   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-11 12:06   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-11 12:06   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CD63CF3-CE57-44FC-92A1-96E928676C37}]
2008-08-19 16:19   110592   ----a-w-   c:\program files\MyFaveShop\MyFaveShop Toolbar\ToolBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FEE0CAF5-403B-480D-B7DF-71EE63E4F166}"= "c:\program files\MyFaveShop\MyFaveShop Toolbar\ToolBar.dll" [2008-08-19 110592]

[HKEY_CLASSES_ROOT\clsid\{fee0caf5-403b-480d-b7df-71ee63e4f166}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-29 303104]
"HostManager"="c:\program files\Common Files\AOL\1247602731\ee\AOLSoftware.exe" [2006-11-14 50736]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2010-8-13 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 apprngr;AppRanger Scan Driver;c:\windows\system32\Drivers\apprngr.sys

R2 apprngr_svc;AppRanger Service;c:\program files\AppRanger\SWSvc.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 133104]
R3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-02-21 151552]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S0 npf;npf Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   REG_MULTI_SZ      BthServ
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 12:13]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 12:13]

2010-09-17 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]

2010-08-13 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-04 18:19]

2010-09-19 c:\windows\Tasks\User_Feed_Synchronization-{AAD29C0A-613E-42B8-9812-D1A798192E3F}.job
- c:\windows\system32\msfeedssync.exe [2010-08-11 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.voover.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 21:49
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-19  21:56:25
ComboFix-quarantined-files.txt  2010-09-19 20:56
ComboFix2.txt  2010-08-27 13:47

Pre-Run: 61,592,264,704 bytes free
Post-Run: 61,036,335,104 bytes free

- - End Of File - - 8DB0100A34BAFFC4334C448BA95E1272

[ronymaxwell]

checkup.txt:-
 Results of screen317's Security Check version 0.99.5 
 Windows Vista Service Pack 2 (UAC is enabled)
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 Microsoft Security Essentials   
 WMI entry may not exist for antivirus; attempting automatic update.
 Microsoft Security Essentials successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 21 
 Adobe Flash Player 10.0.22.87 
Adobe Reader 9.1.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSMpEng.exe
 Microsoft Security Essentials msseces.exe
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[SuperDave]

Have you tried resetting your router?

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
**************************************
Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  DDS::
  Trusted Zone: internet
  Trusted Zone: mcafee.com
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I don't need to see the log from this script.
  

********************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[ronymaxwell]

I was able to reset my router, but when I had re-entered the username and password to connect to my ISP, the router info and settings became inaccessible again.

[ronymaxwell]

Adobe Acrobat Reader downloaded, other versions removed.

[ronymaxwell]

ComboFix run as instructed.