SpywareInfo Forum: browser redirect - SpywareInfo Forum

Jump to content

  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

browser redirect

#1 User is offline   vespid Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 17
  • Joined: 02-June 09

Posted 02 June 2009 - 05:06 PM

I primarily use firefox 3, and I am now getting redirects and hesitation. IE seems to have issues as well.

I have run a number of programs, including and not limited to:

AVG antivirus
Spbot
Ad-aware
CCcleaner
SuperAntispyware
Combofix
Malwarebytes

They found a few things and removed them (there was some worse issues that have been resolved), but the redirect problem still persists.

Here is my hijack this log. thank you for your help:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:58 PM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.(deleted)...vespidstart.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/...oader.5.1.4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125449450062
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Dad\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 8746 bytes

This post has been edited by vespid: 02 June 2009 - 08:02 PM

#2 User is offline   miekiemoes Icon

  • Malware Expert
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 19,757
  • Joined: 08-October 04

Posted 03 June 2009 - 07:32 AM

Hi,

I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch:

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called Active and Automatic.
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#3 User is offline   vespid Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 17
  • Joined: 02-June 09

Posted 03 June 2009 - 08:49 AM

View Postmiekiemoes, on Jun 3 2009, 07:32 AM, said:

[*]Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Done. Hear are the results. Thank you for your assistance so far. The redirect issues still exists.

mbam log:

Malwarebytes' Anti-Malware 1.37
Database version: 2222
Windows 5.1.2600 Service Pack 3

6/3/2009 9:08:11 AM
mbam-log-2009-06-03 (09-08-11).txt

Scan type: Quick Scan
Objects scanned: 119662
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---------------------------------------------------------
Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:53 AM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.(removed).
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/...oader.5.1.4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125449450062
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Dad\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 8647 bytes

This post has been edited by vespid: 03 June 2009 - 09:09 AM

#4 User is offline   miekiemoes Icon

  • Malware Expert
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 19,757
  • Joined: 08-October 04

Posted 03 June 2009 - 09:24 AM

Hi,

Are you still having these redirects? If so.. * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 User is offline   vespid Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 17
  • Joined: 02-June 09

Posted 03 June 2009 - 11:00 PM

I had trouble getting the AVG anitvirus to shut down completely, but the others were turned off.

Here is the combofix log. Thanks for the help:

-----------

ComboFix 09-05-31.06 - Dad 06/03/2009 22:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.665 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-02 21:46 . 2009-06-02 21:46 -------- d-----w- c:\program files\Trend Micro
2009-06-02 21:39 . 2009-06-02 21:28 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-02 21:28 . 2009-06-02 21:28 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-02 21:28 . 2009-06-02 21:28 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-02 21:28 . 2009-06-02 21:28 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-02 21:28 . 2009-06-02 21:28 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-02 21:28 . 2009-06-02 21:28 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-02 21:28 . 2009-06-02 21:28 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-02 21:28 . 2009-06-02 21:28 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-02 21:28 . 2009-06-02 21:28 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-02 21:28 . 2009-06-02 21:28 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-02 21:25 . 2009-06-02 21:25 -------- d-----w- c:\program files\Lavasoft
2009-06-02 13:07 . 2009-06-02 13:13 122763 ----a-w- C:\MGlogs.zip
2009-06-02 13:07 . 2009-06-02 13:13 -------- d-----w- C:\MGtools
2009-06-02 05:02 . 2009-06-04 03:29 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-02 05:01 . 2009-06-02 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-02 05:01 . 2009-06-02 05:01 65024 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-06-02 05:01 . 2009-06-02 05:01 18944 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-06-02 05:01 . 2009-06-02 05:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-02 05:01 . 2009-06-02 05:01 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2009-06-02 04:59 . 2009-06-02 04:59 1342151 ----a-w- C:\MGtools.exe
2009-06-02 04:37 . 2009-06-02 04:37 -------- d-----w- c:\program files\CCleaner
2009-06-01 22:48 . 2009-06-01 22:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-01 12:32 . 2009-06-01 12:32 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-06-01 12:32 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-01 12:32 . 2009-06-01 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 12:32 . 2009-06-01 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-01 12:32 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 19:21 . 2008-04-14 00:12 82432 -c--a-w- c:\windows\system32\dllcache\ws2_32.dll
2009-05-27 23:03 . 2009-05-16 00:36 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-27 23:03 . 2009-05-27 23:03 -------- d-----w- c:\program files\ffdshow
2009-05-20 07:17 . 2009-05-16 08:25 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-20 07:17 . 2009-05-16 08:25 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-20 07:17 . 2009-05-16 08:25 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-20 07:17 . 2009-05-16 08:25 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-20 07:17 . 2009-05-16 08:25 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-20 07:17 . 2009-05-16 08:25 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-20 07:17 . 2009-05-16 08:25 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-20 07:16 . 2009-05-16 08:23 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-20 07:16 . 2009-05-16 08:23 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-19 22:13 . 2009-06-03 05:03 -------- d-----w- c:\program files\PokerStars.NET
2009-05-12 22:05 . 2009-05-12 22:05 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-10 23:44 . 2009-05-10 23:44 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\ArcSoft
2009-05-10 23:44 . 2009-05-10 23:44 -------- d-----w- c:\documents and settings\Ryan\Application Data\ArcSoft
2009-05-08 23:04 . 2007-10-23 14:27 110592 ----a-w- c:\documents and settings\Shannon\Application Data\U3\temp\cleanup.exe
2009-05-08 23:03 . 2007-10-23 14:22 3350528 ---ha-w- c:\documents and settings\Shannon\Application Data\U3\temp\Launchpad Removal.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 03:24 . 2006-11-04 20:10 -------- d-----w- c:\documents and settings\Nicky\Application Data\OpenOffice.org2
2009-06-03 23:25 . 2007-02-23 23:04 -------- d-----w- c:\documents and settings\Shannon\Application Data\OpenOffice.org2
2009-06-02 21:28 . 2009-06-02 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-02 21:28 . 2009-06-02 21:28 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-02 21:28 . 2009-06-02 21:28 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-02 21:28 . 2009-06-02 21:28 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-02 21:27 . 2009-06-02 21:27 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-02 21:27 . 2009-06-02 21:27 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-02 21:27 . 2009-06-02 21:27 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-02 21:27 . 2009-06-02 21:27 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-02 21:27 . 2009-06-02 21:27 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-02 21:27 . 2009-06-02 21:27 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-02 21:27 . 2009-06-02 21:27 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-02 21:25 . 2009-06-02 21:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-02 05:00 . 2005-07-22 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 04:50 . 2006-09-15 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-01 22:47 . 2005-03-07 05:32 -------- d-----w- c:\program files\Java
2009-05-31 14:32 . 2007-02-13 02:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 02:23 . 2009-01-31 21:19 -------- d-----w- c:\documents and settings\Shannon\Application Data\U3
2009-05-17 15:33 . 2008-08-29 01:23 -------- d-----w- c:\documents and settings\Dad\Application Data\uTorrent
2009-05-16 08:25 . 2008-07-03 23:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-16 08:25 . 2007-04-16 02:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-16 08:25 . 2008-07-03 20:53 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-16 08:25 . 2008-07-03 20:53 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-16 00:36 . 2007-06-08 22:52 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-07 12:03 . 2009-04-17 22:34 -------- d-----w- c:\documents and settings\Dad\Application Data\ArcSoft
2009-05-06 23:16 . 2005-03-06 23:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-19 21:55 . 2006-06-19 02:53 -------- d-----w- c:\documents and settings\Dad\Application Data\OpenOffice.org2
2009-04-19 18:08 . 2008-04-12 00:35 1 ----a-w- c:\documents and settings\Dad\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-04-19 11:15 . 2009-04-15 01:21 -------- d-----w- c:\documents and settings\Nicky\Application Data\ArcSoft
2009-04-19 00:20 . 2009-04-15 01:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-04-17 22:59 . 2009-04-17 22:59 -------- d-----w- c:\documents and settings\Shannon\Application Data\ArcSoft
2009-04-17 02:23 . 2005-03-07 00:51 -------- d-----w- c:\documents and settings\Dad\Application Data\teamspeak2
2009-04-15 04:43 . 2005-03-09 03:36 -------- d-----w- c:\documents and settings\Dad\Application Data\CoreFTP
2009-04-15 01:14 . 2009-04-15 01:13 -------- d-----w- c:\program files\ArcSoft
2009-04-15 01:14 . 2009-04-15 01:13 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-04-15 01:12 . 2009-04-15 01:12 -------- d-----w- c:\documents and settings\Nicky\Application Data\InstallShield
2009-04-13 01:54 . 2009-03-19 02:49 1 ----a-w- c:\documents and settings\Nicky\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-04-07 04:44 . 2009-03-15 17:50 -------- d-----w- c:\program files\iSofter
2009-04-07 04:44 . 2009-01-31 06:03 -------- d-----w- c:\program files\Media Converter SA Edition
2009-03-12 08:17 . 2009-06-02 21:25 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-03-06 14:22 . 2003-04-15 13:00 284160 ------w- c:\windows\system32\pdh.dll
2008-07-17 20:10 . 2008-07-17 20:10 16 ---ha-w- c:\program files\Common Files\mxfilerelatedcache.mxc2
2008-07-17 20:10 . 2008-07-17 20:09 16 ---ha-w- c:\program files\mxfilerelatedcache.mxc2
2007-01-04 18:55 . 2008-03-26 23:48 134624 ------w- c:\program files\uninstall.exe
2003-02-21 13:42 . 2006-08-04 04:43 348160 ----a-w- c:\program files\mozilla firefox\plugins\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-16 1947928]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]
"TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe" [2006-10-04 86016]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-02 518488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-12-08 25600]

c:\documents and settings\Shannon\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\Nicky\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-16 08:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"HPDJ Taskbar Utility"=c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 4:28 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/3/2008 3:53 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/3/2008 3:53 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [3/26/2008 7:27 PM 108768]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/3/2008 6:17 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/3/2008 6:17 PM 298776]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [5/13/2006 11:06 PM 70016]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [12/27/2006 9:47 AM 9006]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1005904]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 4:55 PM 39424]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [4/7/2008 11:31 PM 1527900]
S3 musbehco;musbehco;\??\c:\docume~1\Nicky\LOCALS~1\Temp\musbehco.sys --> c:\docume~1\Nicky\LOCALS~1\Temp\musbehco.sys [?]
S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [3/7/2005 2:21 AM 236544]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [4/7/2008 11:33 PM 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:27]

2009-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.(removed)
uInternet Connection Wizard,ShellNext = iexplore
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\trl5gxbp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.(removed)
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPipelineLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npq3px.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 22:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,b2,cf,ab,0f,89,
f9,6c,cc,c8,28,51,af,b0,29,a3,98,c3,13,8e,a0,e7,a2,06,30,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,47,87,06,0c,09,
ba,f7,12,71,3b,04,66,8b,46,0d,96,ed,b1,6e,e8,4a,2a,1e,e5,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,f7,11,82,26,37,
23,12,eb,25,da,ec,7e,55,20,c9,26,23,00,9e,33,96,2b,e1,69,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,38,8a,44,49,0a,
26,03,9f,3e,1e,9e,e0,57,5a,93,61,eb,a3,14,b9,7c,9e,9d,4e,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,26,28,5a,c5,3c,
50,53,62,cd,44,cd,b9,a6,33,6c,cd,54,a9,22,a7,2b,71,18,f0,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,31,eb,78,f6,7c,
3c,5a,d3,b0,18,ed,a7,3f,8d,37,a4,16,56,fb,64,2d,fd,b0,b3,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,35,f3,f4,03,51,
cc,f3,ed,31,77,e1,ba,b1,f8,68,02,a4,ed,d2,8d,34,ea,5c,53,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,38,98,85,b6,7b,
a7,cf,a8,83,6c,56,8b,a0,85,96,ab,ce,3e,02,e2,a6,f2,81,7b,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,6b,72,07,11,67,
e3,3d,dd,51,fa,6e,91,28,9e,14,cc,7c,d9,ee,b0,01,37,6b,f9,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,75,a6,45,a0,58,
25,72,47,b1,cd,45,5a,a8,c4,f8,b9,4f,50,ea,c1,66,42,be,29,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,33,17,21,6d,58,
e6,de,73,e3,0e,66,d5,eb,bc,2f,6b,df,d9,fd,79,43,f8,ef,ed,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,27,5b,f4,b9,e5,
61,c3,15,fa,ea,66,7f,d4,3b,6b,70,d2,15,d3,e6,c9,67,38,f5,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-06-04 22:55
ComboFix-quarantined-files.txt 2009-06-04 03:55
ComboFix2.txt 2009-06-02 13:01

Pre-Run: 20,359,516,160 bytes free
Post-Run: 20,617,752,576 bytes free

297 --- E O F --- 2009-05-28 23:26

#6 User is offline   miekiemoes Icon

  • Malware Expert
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 19,757
  • Joined: 08-October 04

Posted 04 June 2009 - 02:41 AM

Hi,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 User is offline   vespid Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 17
  • Joined: 02-June 09

Posted 04 June 2009 - 10:23 PM

Alright, here is the log. The problem still persists. When I first open firefox, it works fine, then I use the search bar in the upper right (google) and the result page usually doesn't come up, but I get the "page not found" message after a hesitation. Then I hit retry and the result page comes up. The first couple links I try usually work, but the 3rd link will redirect to some other site, then the problem continues about every 3rd or 4th link I click. It's about the same with IE. Sometimes I even get a "redirecting" message and end up somewhere ridiculous.

GooredFix v1.92 by jpshortstuff
Log created at 22:22 on 04/06/2009 running Option #2 (Dad)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

This post has been edited by vespid: 04 June 2009 - 10:32 PM

#8 User is offline   miekiemoes Icon

  • Malware Expert
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 19,757
  • Joined: 08-October 04

Posted 05 June 2009 - 02:34 AM

Can you post the contents of your C:\Windows\system32\drivers\etc\hosts file?

Also, did you modify this in your log?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.(removed).
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.(deleted)...vespidstart.htm

Can you give some results as to what domains you are getting redirected?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 User is offline   vespid Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 17
  • Joined: 02-June 09

Posted 05 June 2009 - 05:54 AM

yes, I modified those lines as shown to remove personal information.

Here is the content of that file:

---------------------------------------
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 mozilla.com
127.0.0.1 www.mozilla.com
127.0.0.1 firefox.com
127.0.0.1 www.firefox.com
127.0.0.1 www.firefox2.com
127.0.0.1 firefox2.com
127.0.0.1 ftp.saix.net
127.0.0.1 download.mozilla.com

---------------------------------------------------------

One of the things it redirects me to is "mybig-portal.com/promo3/?" which activates my AVG as a threat that it implies it takes care of

also "hxxp://virus-detect-soft.com/" which gets same reaction and result

It also redirects to what seem to be regular sites, such as
edmonds.com,
hxxp://www.directkitchenremodeling.com/dis...stoves&ad=2
I also see a "searchonthe.com" flash by while redirecting is happing sometimes
hxxp://us.peeplo.com/search/?q=a+heat&from=adg5

Note the other basic symptoms I listed before. Sometimes I even get a "please wait while browser redirects you"

This post has been edited by miekiemoes: 05 June 2009 - 06:01 AM
Reason for edit:: links disabled

#10 User is offline   miekiemoes Icon

  • Malware Expert
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 19,757
  • Joined: 08-October 04

Posted 05 June 2009 - 06:06 AM

Problem is, I don't really know with what malware you were dealing previously as this may give me an idea where to look exactly.

Can you try OpenDNS and see if that resolves it?
https://www.opendns....start/computer/
This to figure out if it may be a DNS issue.

Also, Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

By the way, have you added this to your hosts file?

127.0.0.1 mozilla.com
127.0.0.1 www.mozilla.com
127.0.0.1 firefox.com
127.0.0.1 www.firefox.com
127.0.0.1 www.firefox2.com
127.0.0.1 firefox2.com
127.0.0.1 ftp.saix.net
127.0.0.1 download.mozilla.com
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#11 User is offline   vespid Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 17
  • Joined: 02-June 09

Posted 05 June 2009 - 07:55 AM

I haven't yet done the latest steps you noted above, but here's a bit more info:

I ran updated scans with malwarebytes, SuperAntispyware, and SpyBot. The first 2 came up empty but Spybot just found a registry entry for win32.agent.pz and took care of it.

I did not "add to my hosts file" that I know of. That SAIX thing look suspicious, but I don't even know what that file does or how to "add" to it.

I'll get post again when I finish your latest steps.

#12 User is offline   miekiemoes Icon

  • Malware Expert
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 19,757
  • Joined: 08-October 04

Posted 05 June 2009 - 12:54 PM

Well, what's in your hosts file are domains that are blocked. Normally only bad domains should be listed after the 127.0.0.1 entry and not legitimate domains such as firefox.
That's why I suggest you reset the default hosts file again...
To do this easily...
* Download: HostsXpert
Unzip hoster to an own folder, eg C:\HostsXpert
Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 User is offline   vespid Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 17
  • Joined: 02-June 09

Posted 06 June 2009 - 12:13 PM

Alright, I ran the kapersky thing and at first it found (and removed?) 6 threats but I didn't get a log. I ran it again and it came up clean.

I did the Hostsexpert thing as well and it seemed to reset

I tried the openDNS and I think I've done it correctly, but I'm not sure.

Back to the problem: The redirect only happens from search results in google. Could it just be my ISP redirecting from bad URLs? Now I can sometimes click a dozen google links without issues, then one won't work and redirect to something else. When I hit the back button and try again, I'll sometimes get another search page, but then going back and doing it another few times and I'll sometimes get to the page the link is supposedly pointing to, sometimes not. It still seems to be a happening, even after the steps above.

One symptom I can't figure out: when I first open firefox and then type something to search in the google box in the upper right corner of my browser I always first get a page that says "Connection Interrupted
The connection to the server was reset while the page was loading." and after I hit retry, the search results come up. I have 10M service from my ISP.

Some of the problems I was seeing before may now be gone and I'm wondering if I'm over-analyzing this now.

Thoughts?

#14 User is offline   miekiemoes Icon

  • Malware Expert
  • PipPipPipPipPip
  • Group: Global Moderator
  • Posts: 19,757
  • Joined: 08-October 04

Posted 06 June 2009 - 03:07 PM

Quote

I ran the kapersky thing and at first it found (and removed?) 6 threats but I didn't get a log. I ran it again and it came up clean.
Strange, because kaspersky online scan doesn't remove anything, it only lists what is present.

Also, please do the following...

RootRepeal - Rootkit Detector
  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 User is offline   vespid Icon

  • Member
  • Pip
  • Group: Full Member
  • Posts: 17
  • Joined: 02-June 09

Posted 07 June 2009 - 10:49 PM

here is the rootrepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/07 22:31
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3AB7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B8D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA0BD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\12\12-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\12\12-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\12\12-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\13\13-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\13\13-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\13\13-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\13\13-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\aldo_8000@hotmail.com\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\14\14-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\14\14-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\14\14-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\20\20-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\20\20-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\21\21-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\21\21-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\22\22-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{CED38B97-56C2-69D2-3FE4-C2F785385694}\22\22-{18~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{9A33A10F-D812-6354-F884-ECB227F35592}\01\23-{9A33A10F-D812-6354-F884-ECB227F35592}-v1-{186A5F75-9398-4F4C-B9F7-AF073C2E06A7}-v23-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Nicky\Local Settings\Application Data\Microsoft\Messenger\removed\SharingMetadata\removed\DFSR\Staging\CS{9A33A10F-D812-6354-F884-ECB227F35592}\24\24-{186A5F75-9398-4F4C-B9F7-AF073C2E06A7}-v24-{186A5F75-9398-4F4C-B9F7-AF073C2E06A7}-v24-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Ryan\Desktop\DAds stuff\Max Drive F\Dad\RBNC archive\SSM at RBNC\2005-06\Spring\Elaine's stuff\River Study docs\individual sheets\1.doc:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Ryan\Desktop\DAds stuff\Max Drive F\Dad\RBNC archive\SSM at RBNC\2005-06\Spring\Elaine's stuff\River Study docs\individual sheets\1.doc:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf76d387e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf76d3bfe

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf3b9adf0

Stealth Objects
-------------------
Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: nHancerService.exe (PID: 160) Address: 0x00bf0000 Size: 307200

Object: Hidden Module [Name: nHancerServiceRemoting.dll]
Process: nHancerService.exe (PID: 160) Address: 0x00c60000 Size: 28672

==EOF==

The problem still persists, even redirecting to viruses at times.
  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users


Support the forum!