Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser redirected to random sites

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Browser redirected to random sites

Unread postby askey127 » July 7th, 2009, 6:09 am

pjtroup,
Reports of problems with Combofox are mostly due to untrained people using it. It can trash your computer in a nano.

So that's where those components are! It is a set of files/folders. Looks like part of the problem.

A delay in response will not be a problem. Tomorrow I will be traveling some myself but we will be in touch.
----------------------------------------------
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror
Download Mirror
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.
----------------------------------------------
If there is any problem with McAfee, Disable it until GooredFix is finished, then Re-enable

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Re: Browser redirected to random sites

Unread postby pjtroup » July 8th, 2009, 2:44 am

I didn't get any options with goored...it just ran and it generated the log below.
When I re-ran it, it generated the same log, so it does not appear to have fixed anything.

GooredFix by jpshortstuff (03.07.09)
Log created at 00:26 on 08/07/2009 (Paul Troup)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [06:33 10/06/2008]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [23:53 22/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [05:44 15/04/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [23:52 22/03/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [08:47 07/05/2009]

-=E.O.F=-
pjtroup
Active Member
 
Posts: 13
Joined: June 28th, 2009, 5:06 pm

Re: Browser redirected to random sites

Unread postby askey127 » July 8th, 2009, 6:50 am

pjtroup,
--------------------------------------------------
Copy/paste the following quote box into a new notepad (not wordpad) document.
regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox"
notepad look.txt
del /q look.txt

Save it to your Desktop as look.bat. Save it as File Type: All Files (not as a text document or it wont work).

Locate look.bat on your Desktop and double-click it.
When Notepad opens, copy/paste the content in your reply.
When you close Notepad, the CMD window will close automatically and the text file will be deleted.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Browser redirected to random sites

Unread postby pjtroup » July 9th, 2009, 4:33 am

Here is the stuff generated by running look.bat:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"jqs@sun.com"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,4a,00,61,00,76,00,61,00,5c,00,\
6a,00,72,00,65,00,36,00,5c,00,6c,00,69,00,62,00,5c,00,64,00,65,00,70,00,6c,\
00,6f,00,79,00,5c,00,6a,00,71,00,73,00,5c,00,66,00,66,00,00,00
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\\Program Files\\McAfee\\SiteAdvisor"
pjtroup
Active Member
 
Posts: 13
Joined: June 28th, 2009, 5:06 pm

Re: Browser redirected to random sites

Unread postby askey127 » July 9th, 2009, 7:04 am

-----------------------------------------------------------
Folder Deletion
In Windows Explorer (My Computer), navigate to the folder shown below, highlight, if found, and press Delete.
c:\documents and settings\paul troup\application data\mozilla\firefox\profiles\5glr35th.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
You may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
If you need to delete underlying files in a folder and are unable to do so:
Right click the file set for deletion, and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that,, note the name of the file, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
==============================
NOW DISABLE McAfee
==============================
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!!

  • Download ComboFix from here and save it to your desktop
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy is located here: "C:\ComboFix.txt"
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Browser redirected to random sites

Unread postby pjtroup » July 10th, 2009, 5:44 am

Deleted the folder as requested.

Combofix log is below:

ComboFix 09-07-09.07 - Paul Troup 07/10/2009 4:19.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.789 [GMT -5:00]
Running from: c:\documents and settings\Paul Troup\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Paul Troup\Application Data\Microsoft\profile.dat
c:\windows\Installer\1aa28d.msp
c:\windows\Installer\247672a5.msi
c:\windows\Installer\247672ab.msi
c:\windows\Installer\247672b1.msi
c:\windows\Installer\36825fd.msp
c:\windows\Installer\4e8e3c15.msp
c:\windows\Installer\63c186d.msp
c:\windows\Installer\63c1880.msp
c:\windows\Installer\8a2359.msp
c:\windows\Installer\8a236d.msp
c:\windows\Installer\97fc0a.msp
c:\windows\Installer\97fc71.msp
c:\windows\Installer\e855fa.msp
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\hjgruinsdjrdtq.dat
c:\windows\system32\hjgruiskeemqll.dat
c:\windows\system32\pwdmon.dll
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZESOFT


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-05 19:35 . 2009-07-05 19:35 -------- d-sh--w- c:\documents and settings\Paul Troup\UserData
2009-07-05 02:55 . 2009-07-05 19:26 -------- d-----w- C:\ToolBar SD
2009-07-05 00:10 . 2009-07-05 00:10 -------- d-----w- C:\rsit
2009-06-29 03:31 . 2009-06-29 03:31 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-29 01:10 . 2009-06-29 01:10 -------- d-----w- c:\program files\Alwil Software
2009-06-28 22:29 . 2009-06-28 22:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-28 19:26 . 2009-07-05 00:10 -------- d-----w- c:\program files\Trend Micro
2009-06-28 18:52 . 2009-06-28 18:52 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 09:26 . 2004-09-26 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 07:01 . 2004-12-07 20:33 -------- d-----w- c:\documents and settings\Paul Troup\Application Data\wsInspector
2009-07-05 22:33 . 2004-09-26 13:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-05 02:25 . 2004-09-26 14:23 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-05 02:13 . 2004-08-22 04:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-05 02:11 . 2004-11-06 09:16 -------- d-----w- c:\program files\Resplendent Registrar
2009-07-05 00:03 . 2009-04-12 03:11 117760 ----a-w- c:\documents and settings\Paul Troup\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-04 23:51 . 2006-02-26 18:05 -------- d-----w- c:\program files\Java
2009-06-29 03:41 . 2006-02-26 04:25 -------- d-----w- c:\program files\Yahoo!
2009-06-29 02:54 . 2007-06-09 21:10 -------- d-----w- c:\program files\CCleaner
2009-06-28 22:30 . 2009-04-12 03:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-28 18:52 . 2008-10-26 21:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 16:27 . 2008-10-26 21:22 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2008-10-26 21:22 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 02:53 . 2007-02-20 08:25 -------- d-----w- c:\program files\Palm
2009-05-23 20:40 . 2009-05-23 20:40 -------- d-----w- c:\documents and settings\Paul Troup\Application Data\vlc
2009-05-07 15:32 . 1980-01-01 07:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-24 01:32 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 1980-01-01 07:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-10-15 12:09 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 05:42 . 2009-04-15 05:42 152576 ----a-w- c:\documents and settings\Paul Troup\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-13 04:32 . 2004-10-04 05:37 83096 ----a-w- c:\documents and settings\Paul Troup\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-26 20:59 . 2008-10-26 20:59 18758 ----a-w- c:\program files\Common Files\azadyro.exe
2008-10-26 20:59 . 2008-10-26 20:59 15827 ----a-w- c:\program files\Common Files\ybanycop.dat
2008-10-26 20:59 . 2008-10-26 20:59 13633 ----a-w- c:\program files\Common Files\elucemeb.bin
2008-10-26 20:59 . 2008-10-26 20:59 13441 ----a-w- c:\program files\Common Files\kusupiq.dat
2008-10-26 20:59 . 2008-10-26 20:59 13034 ----a-w- c:\program files\Common Files\vedoz.bin
2008-10-26 20:59 . 2008-10-26 20:59 11413 ----a-w- c:\program files\Common Files\umobagilaw._sy
2008-10-26 20:59 . 2008-10-26 20:59 10954 ----a-w- c:\program files\Common Files\xibogiwe.com
2008-10-26 20:59 . 2008-10-26 20:59 10506 ----a-w- c:\program files\Common Files\zyzovol._dl
2008-09-21 06:13 . 2008-09-21 06:13 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 00:39 . 2007-06-22 00:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-06-22 00:39 . 2007-06-22 00:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-01-20 581632]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"frymxins"="c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"hffsrv"="c:\windows\hffext\hffsrv.exe" [2005-05-27 82432]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-10-04 356352]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"QCTray"="c:\progra~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-09-06 745472]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]
"QCWLIcon"="c:\progra~1\ThinkPad\CONNEC~1\QCWLIcon.exe" [2005-09-06 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"S3TRAY2"="S3Tray2.exe" - c:\windows\system32\S3Tray2.exe [2001-10-12 69632]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-08-24 40960]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"configmsi"="rmdir" [X]
"supportdir"="rmdir" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-10-04 04:59 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 17:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-09-06 09:08 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 05:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [8/21/2004 11:24 PM 69632]
R1 FDCENT;FDCENT;c:\windows\system32\drivers\FDCENT.SYS [6/26/2007 1:06 AM 44928]
R1 NEOFLTR_600_13487;Juniper Networks TDI Filter Driver (NEOFLTR_600_13487);c:\windows\system32\drivers\NEOFLTR_600_13487.sys [8/13/2008 8:50 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [8/21/2004 11:24 PM 4736]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/21/2004 11:25 PM 16384]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [3/19/2004 2:05 PM 63872]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/7/2009 3:47 AM 210216]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [12/28/2008 1:32 AM 598856]
S2 0195131245902298mcinstcleanup;McAfee Application Installer Cleanup (0195131245902298);c:\windows\TEMP\019513~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\019513~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [8/21/2004 11:46 PM 12288]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-05-17 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-08-22 07:38]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-07 15:53]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-07 15:53]

2009-07-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm
IE: Send To &Bluetooth - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} - hxxps://touchworks.cvapc.com/Touchworks ... Engine.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {46965FE7-2129-407B-938C-BE358A56D11E} - hxxps://touchworks.cvapc.com/TouchWorks ... iewer3.cab
DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} - hxxps://touchworks.cvapc.com/AHSWeb/IDX ... XTools.cab
DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} - hxxps://touchworks.cvapc.com/TouchWorks ... /twrtf.cab
DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} - hxxps://touchworks.cvapc.com/Touchworks/DictateBar.cab
DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} - hxxps://www-307.ibm.com/pc/support/acce ... ontrol.cab
DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} - hxxps://touchworks.cvapc.com/TouchWorks ... iewer2.cab
DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} - hxxps://touchworks.cvapc.com/AHSWeb/IDX ... DXWFCB.cab
DPF: {EECF9899-FC3A-4841-986F-30B874921B36} - hxxps://touchworks.cvapc.com/AHSWeb/IDX ... rowser.cab
FF - ProfilePath - c:\documents and settings\Paul Troup\Application Data\Mozilla\Firefox\Profiles\5glr35th.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 04:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\XR

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2764)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\IBM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Maxtor\Utils\SyncServices.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\QCONSVC.EXE
c:\windows\system32\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\1XConfig.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-07-10 4:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 09:33

Pre-Run: 26,648,875,008 bytes free
Post-Run: 26,934,632,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

316 --- E O F --- 2009-06-19 07:54
pjtroup
Active Member
 
Posts: 13
Joined: June 28th, 2009, 5:06 pm

Re: Browser redirected to random sites

Unread postby askey127 » July 10th, 2009, 6:22 am

Restart McAfee if you haven't already and tell me how it's running.
The Recovery Console will just give you that momentary screen when you boot in case you ever need it.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Browser redirected to random sites

Unread postby pjtroup » July 12th, 2009, 12:07 am

Things seem OK. I have a program running intermittently in the taskbar called Secure Application Manager from Juniper software. Really have never seen or used this before. Tempted to remove it via Add/Remove programs. Add/Remove is performing a little better now than before. I have several restore points now (had only one before) for System Restore. I don't see the Recovery Console screen during boot up that you mentioned although Combofix (now quarantined by McAfee) said it was successfully installed.
The big question now is....am I finally clean?
Again, I appreciate your help with this problem.
pjtroup
Active Member
 
Posts: 13
Joined: June 28th, 2009, 5:06 pm

Re: Browser redirected to random sites

Unread postby askey127 » July 12th, 2009, 7:29 am

pjtroup
Your machine looks clean.
The recovery console is supposed to give you a very quick (2 seconds) black screen showing Windows XP and Recovery Console as choices to boot before Windows starts.
You can look up Secure Application Manager on Google to see what it does and if you want or need it.
If you have a Network to which you regularly connect, it may have been installed as part of that connection routine.
Good luck.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Browser redirected to random sites

Unread postby NonSuch » July 18th, 2009, 6:08 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware