Major Problem - browser hijacked, cannot get rid of routing.exe, wserving.exe

[jholland1964]

One thing I see immediately is that you are NOT running an onboard anti-virus program OR a firewall.Running an online scan is not giving protection just removing bad items which may get onto the computer.
You need an onboard and enabled anti-virus program and firewall.
There are several reputable FREE ones of both noted here

You are running Ad-Aware Service, turn this off, some of these programs which run all the time in the background can interfere with fixes. Same goes for SuperAntispyware, turn it off. Both are ok programs but occasionally they will interfere with either a fix or a scan by another program.
Now one of the items removed by MBA-M was a Backdoor.Bot

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

Also noted was a Rootkit.Agent

A Rootkit is software that cloaks the presence of files and data to evade detection, while allowing an attacker to take control of the machine without the user's knowledge. Rootkits are typically used by malware including viruses, spyware, trojans, and backdoors, to conceal themselves from the user as well as from malware detection software such as anti-virus and anti-spyware applications. Rootkits are also used by some adware applications and DRM (Digital Rights Management) programs to thwart the removal of that unwanted software by users.

Now you have no anti-virus protection and no firewall running, what better computer to attack.
Try this;
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

• Close all open Windows including this one.
• Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
  Doubleclick the combofix icon on the desktop to run the program.
  
  
  
  

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

[floppsybunny]

hi, thanks again, did as you said (also downloaded avg anti-virus, and zone alarm firewall which i will install as soon as i get rid of this bug). had a helluva time downloading combofix as my browser doesn't seem to allow me to connect to any downloadable .exe files, eventually found a .rar combofix and ran it as instructed.

here is the log:

"Pat" - 2008-10-07 10:44:18 Service Pack 3
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Pat\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 ))))))))))))))))))))))))))))))))))


2008-10-06 19:35 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-06 19:35 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-06 19:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 19:35 <DIR> d-------- C:\DOCUME~1\Pat\APPLIC~1\Malwarebytes
2008-10-06 19:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2008-10-06 15:12 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-10-06 14:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-10-06 14:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-06 14:10 <DIR> d-------- C:\DOCUME~1\Pat\APPLIC~1\SUPERAntiSpyware.com
2008-10-06 02:09 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-06 02:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-10-06 01:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-30 11:00 <DIR> d-------- C:\Program Files\iZotope
2008-09-30 11:00 <DIR> d-------- C:\Program Files\Common Files\iZotope
2008-09-08 20:45 <DIR> d-------- C:\Program Files\IrfanView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2008-10-06 18:40:01 -------- d-----w C:\Program Files\PokerStars
2008-10-06 18:10:44 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-05 16:50:21 -------- d-----w C:\DOCUME~1\Pat\APPLIC~1\Azureus
2008-09-20 04:56:18 -------- d-----w C:\DOCUME~1\Pat\APPLIC~1\LimeWire
2008-09-08 18:55:17 -------- d-----w C:\DOCUME~1\Pat\APPLIC~1\HPAppData
2008-09-03 01:36:03 -------- d-----w C:\Program Files\iTunes
2008-08-29 22:57:39 -------- d-----w C:\Program Files\Movie Maker
2008-08-29 22:55:26 -------- d-----w C:\Program Files\Windows NT
2008-08-29 07:00:28 -------- d-----w C:\Program Files\MSXML 6.0
2008-08-28 17:23:05 -------- d-----w C:\DOCUME~1\Pat\APPLIC~1\Bullzip
2008-08-28 17:19:21 -------- d-----w C:\Program Files\Bullzip
2008-08-15 17:02:16 -------- d-----w C:\Program Files\Apple Software Update
2008-08-15 16:59:08 -------- d-----w C:\Program Files\iPod
2008-08-15 16:58:03 -------- d-----w C:\Program Files\QuickTime
2008-08-13 21:38:50 -------- d-----w C:\Program Files\NoteWorthy Composer
2008-08-12 23:35:57 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-11 18:59:19 -------- d-----w C:\DOCUME~1\Pat\APPLIC~1\Apple Computer
2008-08-11 18:58:58 -------- d-----w C:\Program Files\Safari
2008-08-10 00:02:40 -------- d-----w C:\Program Files\Tropico2
2008-07-19 02:10:48 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10:42 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10:20 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09:46 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09:44 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09:44 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09:42 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26:58 253,952 ----a-w C:\WINDOWS\system32\es.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{0347C33E-8762-4905-BF09-768834316C61}=C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [2007-03-02 17:52]
{053F9267-DC04-4294-A72C-58F732D338C0}=C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [2007-03-02 17:52]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 04:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-06-14 14:13]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47]
"WMUAgent.exe"="C:\Program Files\WakeMeUp\WMUAgent.exe" [2007-02-15 22:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 23:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
%SystemRoot%\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent


Contents of the 'Scheduled Tasks' folder
2008-10-06 21:24:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

************************************************** ******************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 10:47:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

************************************************** ******************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T DSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv .sys"

Completion time: 2008-10-07 10:49:38

--- E O F ---


-------------------------------

it seems to have given me an error at c:\windows for some reason? don't know what to make of this...