Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Google re-directs with IE 6.0 & Firefox 3.011

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Google re-directs with IE 6.0 & Firefox 3.011

Unread postby Bob8187 » July 3rd, 2009, 1:35 pm

This just started today. I did find some suspicious programs newly installed to my C:\Windows dir:

ld12.exe and sysguard.exe

which renamed to ld12.bak and sysguard.bak respectively. I also removed all refs to these programs from my registry.

I never had a virus before, I'm completely unfamiliar with this process, and I don't know what the next steps are.


My HijackThis log is listed below. Thanks in advance to whoever chooses to help me.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:59 PM, on 7/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Download\Profilers\PrcView\PrcView.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\mike\Desktop\ProcessExp\procexp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - Global Startup: Shortcut to PrcView.exe.lnk = C:\Download\Profilers\PrcView\PrcView.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 1988 bytes
Bob8187
Active Member
 
Posts: 5
Joined: July 3rd, 2009, 1:27 pm
Top
Advertisement
Register to Remove

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby jmw3 » July 5th, 2009, 11:47 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby Bob8187 » July 6th, 2009, 6:33 pm

Sorry for the delay -- I was out of town. Thanks for taking the time to help me with this.

Here are the logs results:


Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/27/2007 2:42:30 PM
System Uptime: 7/3/2009 1:07:18 PM (77 hours ago)

Motherboard: Intel Corporation | | WS440BX
Processor: Intel Pentium III processor | J4J1, CPU | 746/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 75 GiB total, 21.115 GiB free.
D: is FIXED (FAT32) - 19 GiB total, 9.782 GiB free.
E: is Removable
F: is CDROM ()
G: is CDROM ()
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

AC3Filter (remove only)
Adobe Acrobat 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.1
Agent Ransack Version 1.7.3
AutoUpdate
Creative Launcher
Creative PlayCenter
Creative Recorder
DivX
DivX Player
e-Film Reader-5 Ver 3.14
Eudora
Firecracker(TM)
GPL Ghostscript 8.57
GPL Ghostscript Fonts
GSpot Codec Information Appliance
GSview 4.8
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP DeskJet 880C Series (Remove only)
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_15
Java 2 SDK, SE v1.4.2_15
Java(TM) 6 Update 2
LimeWire 4.16.6
MGI PhotoSuite III SE (Remove Only)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Excel Viewer 97
Microsoft PowerPoint Viewer 97
Microsoft Visual C++ 6.0 Professional Edition
Microsoft Word 2000
Microsoft Works 2000
Microsoft Works 2000 Setup Launcher
Mozilla (1.7.13)
Mozilla Firefox (3.0.11)
Nero 6 Ultra Edition
Peck's Power Join
QuickAnswers
QuickTime
RealPlayer
Sansa Connect Device Recovery
ScanMaker 3630
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sound Blaster Live! Value
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911164)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6c
WebFldrs XP
Winamp (remove only)
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Uninstall
WinPcap 4.0.2
WinZip
Word in Works Suite add-in
XviD MPEG-4 Video Codec
YOU DON'T KNOW JACK Television

==== Event Viewer Messages From Past Week ========

7/3/2009 12:16:05 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
7/3/2009 12:05:02 PM, error: Service Control Manager [7022] - The drv service hung on starting.
7/3/2009 11:57:08 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
6/29/2009 10:36:11 PM, error: Print [6161] - The document FaxContents-1.pdf owned by mike failed to print on printer HP DeskJet 882C. Data type: NT EMF 1.008. Size of the spool file in bytes: 1114112. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\COMPUTER. Win32 error code returned by the print processor: 2 (0x2).
6/29/2009 10:35:26 PM, error: Print [6161] - The document FaxContents-1.pdf owned by mike failed to print on printer HP DeskJet 882C. Data type: NT EMF 1.008. Size of the spool file in bytes: 1054764. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\COMPUTER. Win32 error code returned by the print processor: 2 (0x2).

==== End Of File ===========================



DDS.txt:


DDS (Ver_09-06-26.01) - FAT32x86
Run by mike at 18:20:36.81 on Mon 07/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.384.67 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
SVCHOST.EXE
C:\Download\Profilers\PrcView\PrcView.exe
C:\WINDOWS\system32\svchost.exe -k drv
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\mike\Desktop\ProcessExp\procexp.exe
svchost
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Desktop\tmp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.msn.com
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: RealGuide: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\SHDOCVW.DLL
mRun: [SystemTray] SysTray.Exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\download\profilers\prcview\PrcView.exe
uPolicies-explorer: <NO NAME> = 00000000
uPolicies-explorer: NoFavoritesMenu = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: <NO NAME> = 00000000
dPolicies-explorer: NoFavoritesMenu = 01000000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\SHDOCVW.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... p43dmo.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/C ... 4340162037
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EUSHLEXT.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\zit26nr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.org/start/
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPAdbESD.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPDOC.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPDocBox.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava11.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava12.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava13.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava14.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJPI142_15.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPMHPNS.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOJI610.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppdf32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprfxins.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPSVGVw.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R?2 drv;drv;c:\windows\system32\svchost.exe -k drv [2007-5-27 14336]
R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [2009-7-3 9344]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-07-04 06:57 208,744 a------- c:\windows\system32\muweb.dll
2009-07-03 12:49 <DIR> --d----- c:\program files\Trend Micro
2009-07-03 12:06 12,544 a------- c:\windows\system32\iehelper.dll
2009-07-03 10:39 <DIR> --d----- c:\program files\drv
2009-07-03 10:39 306,432 a------- c:\windows\sysguard.bak
2009-07-03 10:38 28,672 a------- c:\windows\ld12.bak

==================== Find3M ====================

2009-07-03 18:59 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\dllcache\localspl.dll
2009-04-27 05:17 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 11:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 11:11 584,192 a------- c:\windows\system32\dllcache\rpcrt4.dll
2008-09-20 19:09 48,408 a------- c:\docume~1\mike\applic~1\GDIPFONTCACHEV1.DAT
2005-03-14 13:01 266 ---sh--- c:\program files\desktop.ini
2005-03-14 13:01 11,079 ----h--- c:\program files\folder.htt

============= FINISH: 18:21:06.93 ===============



Gmer.txt:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 18:29:05
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp drv.sys (drv/drv)

---- EOF - GMER 1.0.15 ----
You do not have the required permissions to view the files attached to this post.
Bob8187
Active Member
 
Posts: 5
Joined: July 3rd, 2009, 1:27 pm
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby jmw3 » July 6th, 2009, 8:45 pm

Hi
No need to attach any logs. Just copy the contents straight into your replies. :)

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire 4.16.6

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

No Anti-virus
Looking over your logs, it seems you don't have any evidence of anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

Your computer must have only ONE anti-virus program installed at any time. Having more than one anti-virus program installed & active will cause program conflicts, false virus alerts, and system crashes.

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
ComboFix log
New HijackThis log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby Bob8187 » July 6th, 2009, 10:18 pm

The issue seems to have been resolved -- I can now search using Google in any browser and click the links without being redirected.

Thanks for your patience and hard work!

The log files are below. BTW, any idea how I got infected or is there too many possibilities?


hijackthislog.tx:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:07 PM, on 7/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Download\Profilers\PrcView\PrcView.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - Global Startup: Shortcut to PrcView.exe.lnk = C:\Download\Profilers\PrcView\PrcView.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 2160 bytes



ComboFix.txt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:07 PM, on 7/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Download\Profilers\PrcView\PrcView.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - Global Startup: Shortcut to PrcView.exe.lnk = C:\Download\Profilers\PrcView\PrcView.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 2160 bytes
Bob8187
Active Member
 
Posts: 5
Joined: July 3rd, 2009, 1:27 pm
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby jmw3 » July 6th, 2009, 10:30 pm

Hi
Good to hear things are better. Not quite finished yet though.

You posted the HijackThis log twice. Could you post the contents of the ComboFix Log please. You'll find it at C:\ComboFix.txt
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby Bob8187 » July 6th, 2009, 10:59 pm

Darn it. Sorry.


ComboFix.txt


ComboFix 09-07-06.02 - mike 07/06/2009 21:56.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.384.178 [GMT -4:00]
Running from: c:\documents and settings\mike\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\hosts
c:\windows\start.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\Web\default.htt

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRV
-------\Service_drv


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-04 10:57 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-03 16:49 . 2009-07-03 16:49 -------- d-----w- c:\program files\Trend Micro
2009-07-03 14:39 . 2009-07-03 14:39 -------- d-----w- c:\program files\drv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:36 . 2007-05-28 17:36 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2009-05-07 15:44 . 2007-05-27 17:33 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2007-05-27 17:36 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2007-05-27 17:33 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2007-05-27 19:36 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2007-05-27 17:34 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2005-03-14 17:01 . 2000-03-10 20:00 11079 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-07-03 12:16 8454656 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Tweak UI"="TWEAKUI.CPL" - c:\windows\SYSTEM32\TWEAKUI.CPL [2000-06-18 106544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to PrcView.exe.lnk - c:\download\Profilers\PrcView\PrcView.exe [2002-7-20 135168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\QUALCOMM\EUDORA\EUSHLEXT.DLL" [2002-03-28 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\j2sdk1.4.2_15\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\System32\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv

R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/3/2009 10:39 AM 9344]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [11/6/2007 3:22 PM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\mike\Application Data\Mozilla\Firefox\Profiles\zit26nr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.org/start/
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPAdbESD.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDOC.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDocBox.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava11.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava12.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava13.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava14.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJPI142_15.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPMHPNS.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPOJI610.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppdf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprfxins.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPSVGVw.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 22:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SYSTEM32\DEVLDR32.EXE
.
**************************************************************************
.
Completion time: 2009-07-07 22:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 02:06

Pre-Run: 23,456,612,352 bytes free
Post-Run: 23,735,894,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

141 --- E O F --- 2009-07-06 23:22
Bob8187
Active Member
 
Posts: 5
Joined: July 3rd, 2009, 1:27 pm
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby jmw3 » July 7th, 2009, 6:15 am

Hi
Still don't see any evidence of Anti-Virus software. We'll be just going in circles & wasting my time & yours if you don't install any:
1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

Do you have access to a usb Flashdrive & a clean computer running XP Service Pack 2? You have an important file missing that needs to be replaced.

Upload Files for Scanning
Go to VirSCAN & upload the following File/s for scanning.
  • Copy & paste the following File & Path in the text box next to the Browse button.
    Code: Select all
    C:\Download\Profilers\PrcView\PrcView.exe
  • Click Upload.
  • Wait for scans to finish then copy & paste the results into your next reply.
Fix HiJackThis Entries
  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):
O24 - Desktop Component 0: (no name) - (no file)

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.
CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Driver::
drvdrv
Folder::
c:\program files\drv
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\j2sdk1.4.2_15\\jre\\bin\\javaw.exe"=-
"c:\\WINDOWS\\System32\\javaw.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 14. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
ComboFix log
Kaspersky Scan log
New HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby Bob8187 » July 10th, 2009, 7:23 pm

I did download anti-virus software as you requested, but I didn't install it at the time, because the directions for ComboFix indicated that there should be no anti-virus software running while it executed. It is installed now. Sorry. Very, very very sorry and double sorry.

I do have a USB drive and access to an XP box.

The log files are below. Thanks.


ComboFix.txt:


ComboFix 09-07-09.06 - mike 07/09/2009 20:30.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.384.252 [GMT -4:00]
Running from: c:\documents and settings\mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mike\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\drv
c:\program files\drv\drv.dll
c:\program files\drv\drv.sys

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRVDRV
-------\Service_drvdrv


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-07 23:12 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-07 23:12 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-07 23:12 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-07 23:12 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-07 23:11 . 2009-07-07 23:12 -------- d-----w- c:\program files\Avira
2009-07-07 23:11 . 2009-07-07 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-04 10:57 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-03 16:49 . 2009-07-03 16:49 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:36 . 2007-05-28 17:36 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2009-05-07 15:44 . 2007-05-27 17:33 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2007-05-27 17:36 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2007-05-27 17:33 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2007-05-27 19:36 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2007-05-27 17:34 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2005-03-14 17:01 . 2000-03-10 20:00 11079 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((( SnapShot@2009-07-07_02.03.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-07-07 23:12 . 2009-05-11 14:12 28520 c:\windows\SYSTEM32\DRIVERS\ssmdrv.sys
+ 2008-07-29 12:05 . 2008-07-29 12:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 07:54 . 2008-07-29 07:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-07-07 23:09 . 2009-07-07 23:09 228352 c:\windows\Installer\487b9bc.msi
+ 2008-07-29 12:05 . 2008-07-29 12:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-07-03 12:16 8454656 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Tweak UI"="TWEAKUI.CPL" - c:\windows\SYSTEM32\TWEAKUI.CPL [2000-06-18 106544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to PrcView.exe.lnk - c:\download\Profilers\PrcView\PrcView.exe [2002-7-20 135168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000
"NoFavoritesMenu"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\QUALCOMM\EUDORA\EUSHLEXT.DLL" [2002-03-28 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/7/2009 7:12 PM 108289]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [11/6/2007 3:22 PM 34064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGNTFLT
*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\mike\Application Data\Mozilla\Firefox\Profiles\zit26nr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.org/start/
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPAdbESD.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDOC.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDocBox.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava11.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava12.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava13.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava14.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJava32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPJPI142_15.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPMHPNS.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPOJI610.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppdf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprfxins.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPSVGVw.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 20:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SYSTEM32\DEVLDR32.EXE
.
**************************************************************************
.
Completion time: 2009-07-10 20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 00:42
ComboFix2.txt 2009-07-07 02:06

Pre-Run: 23,027,974,144 bytes free
Post-Run: 23,010,115,584 bytes free

163 --- E O F --- 2009-07-06 23:22





KasperskyScanLog.txt:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 02:39:28
Records in database: 2453139
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 185847
Threat name: 17
Infected objects: 34
Suspicious objects: 1
Duration of the scan: 16:16:28


File name / Threat name / Threats count
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090703-130302-829.dll Infected: Trojan.Win32.BHO.vkp 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iehelper.dll.vir Infected: Trojan.Win32.BHO.vkp 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wbem\proquota.exe.vir Infected: Trojan.Win32.Inject.afhr 1
C:\Qoobox\Quarantine\C\Program Files\drv\drv.dll.vir Infected: Trojan-Downloader.Win32.Agent.chpc 1
C:\Qoobox\Quarantine\C\Program Files\drv\drv.sys.vir Infected: Rootkit.Win32.Small.adn 1
C:\WINDOWS\ld12.bak Infected: Trojan-Downloader.Win32.Injecter.dbz 1
C:\WINDOWS\sysguard.bak Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.xd 1
C:\Setup_Pckgs\fgf140.exe Infected: not-a-virus:AdWare.Win32.Cydoor 1
C:\Documents and Settings\mike\My Documents\My Music\Depeche mode - Strangelove.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\Mail\mail.comcast.net\Old.Inbox.old Infected: Email-Worm.Win32.Bagle.da 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\Mail\mail.comcast-1.net\Inbox Infected: Exploit.HTML.CodeBaseExec 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\Mail\mail.comcast-1.net\Inbox Infected: Email-Worm.Win32.Bagle.al 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\Mail\mail.comcast-3.net\Inbox Infected: Email-Worm.Win32.Tanatos.b.dam 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\Mail\mail.comcast-3.net\Inbox Infected: Email-Worm.Win32.Sobig.f 2
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\Mail\mail.comcast-3.net\Inbox Infected: Email-Worm.Win32.Tanatos.b 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\Mail\mail.comcast-3.net\Inbox Infected: Exploit.HTML.ObjData 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\Mail\mail.comcast-3.net\Inbox Infected: Trojan-Spy.HTML.Bankfraud.w 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\tmp\mail.comcast-1.net\Inbox Infected: Exploit.HTML.CodeBaseExec 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\default\e9rz4vo6.slt\tmp\mail.comcast-1.net\Inbox Infected: Email-Worm.Win32.Bagle.al 1
C:\Documents and Settings\mike\Application Data\Mozilla\Profiles\hokiejoe\yh2vz1ei.slt\Mail\mail.comcast.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\System Volume Information\_restore{8B5FA709-A546-4138-991D-2ED24A509374}\RP1\A0000020.dll Infected: Trojan.Win32.BHO.vkp 1
C:\System Volume Information\_restore{8B5FA709-A546-4138-991D-2ED24A509374}\RP1\A0000021.exe Infected: Trojan.Win32.Inject.afhr 1
C:\System Volume Information\_restore{8B5FA709-A546-4138-991D-2ED24A509374}\RP3\A0000207.dll Infected: Trojan-Downloader.Win32.Agent.chpc 1
C:\System Volume Information\_restore{8B5FA709-A546-4138-991D-2ED24A509374}\RP3\A0000208.sys Infected: Rootkit.Win32.Small.adn 1
D:\Program Files\FlashGet\BACKUP\cd_install277.exe Infected: not-a-virus:AdWare.Win32.Cydoor 1
D:\Program Files\FlashGet\BACKUP\cd_install277.001 Infected: not-a-virus:AdWare.Win32.Cydoor 1
D:\WINDOWS\Application Data\Mozilla\Profiles\default\esyvi7x9.slt\Mail\mail.comcast.net\Inbox Infected: Exploit.HTML.CodeBaseExec 1
D:\WINDOWS\Application Data\Mozilla\Profiles\default\esyvi7x9.slt\Mail\mail.comcast.net\Inbox Infected: Email-Worm.Win32.Bagle.al 1
D:\WINDOWS\Application Data\Mozilla\Profiles\default\esyvi7x9.slt\Mail\mail.comcast-3.net\Inbox Infected: Email-Worm.Win32.Tanatos.b.dam 1
D:\WINDOWS\Application Data\Mozilla\Profiles\default\esyvi7x9.slt\Mail\mail.comcast-3.net\Inbox Infected: Email-Worm.Win32.Sobig.f 2
D:\WINDOWS\Application Data\Mozilla\Profiles\default\esyvi7x9.slt\Mail\mail.comcast-3.net\Inbox Infected: Email-Worm.Win32.Tanatos.b 1
D:\WINDOWS\Application Data\Mozilla\Profiles\default\esyvi7x9.slt\Mail\mail.comcast-3.net\Inbox Infected: Exploit.HTML.ObjData 1
D:\WINDOWS\Application Data\Mozilla\Profiles\default\esyvi7x9.slt\Mail\mail.comcast-3.net\Inbox Infected: Trojan-Spy.HTML.Bankfraud.w 1

The selected area was scanned.




HijackThis.txt:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:29 PM, on 7/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Download\Profilers\PrcView\PrcView.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: Shortcut to PrcView.exe.lnk = C:\Download\Profilers\PrcView\PrcView.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 2738 bytes
Bob8187
Active Member
 
Posts: 5
Joined: July 3rd, 2009, 1:27 pm
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby jmw3 » July 10th, 2009, 10:23 pm

Hi
How did you go uploading that file for analysis: C:\Download\Profilers\PrcView\PrcView.exe, or do you know what this is?

I do have a USB drive and access to an XP box.
Ok.. good. We need to copy a file from the clean computer.
On the clean computer do this:
View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK
  • Plug your usb drive into the clean computer
  • Navigate to C:\Windows\System32\proquota.exe
  • Copy the proquota.exe file to your usb drive by either drag/drop or copy/paste
  • Once the proquota.exe file is on your usb drive unplug it from the clean computer & plug it into the other computer
  • Open your usb drive & copy the proquota.exe file to the C:\Windows\System32 folder by either drag/drop or copy/paste
Run ComboFix again please (if it asks to update allow it to do so).

OTM
Download OTM by OldTimer Here & save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
Code: Select all
:Files
C:\WINDOWS\ld12.bak
C:\WINDOWS\sysguard.bak
C:\Documents and Settings\mike\My Documents\My Music\Depeche mode - Strangelove.mp3
:Commands
[Purity]
[EmptyTemp]
[Reboot]

  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

The Kaspersky scan has flagged quite a few emails that appear to be infected. Looks as though they are in a comcast.net webmail account. Correct? Unfortunately it does not tell exactly which emails are infected. I would recommend deleteing everything that is not important to you such as emails with attachments (movies etc.)

To post in next reply:
ComboFix log
OTM log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Google re-directs with IE 6.0 & Firefox 3.011

Unread postby chryssi2001 » July 15th, 2009, 11:58 am

Due to lack of activity this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 162 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index