Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

brwser redirct, wireless router vulnerability?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

brwser redirct, wireless router vulnerability?

Unread postby Brey » August 7th, 2009, 5:20 pm

My browser sometimes redirects to 0x61.com and then my download speeds drop to about 0.45mbps.
it is super annoying and spybot and avg can't identify any issues.

Additionally I use a wireless router between my modem and desktop? Am I vulnerable to attack? And evidently most of my ports are visible and not truly stealthed...what can I do to fix that?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:45 PM, on 8/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Watchtower Library 2008 - English.lnk = C:\Program Files\Watchtower\Watchtower Library 2008\E\WTLibrary.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.shared.live.com/Pa6vGqB7 ... Upload.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c990a6341392e5) (gupdate1c990a6341392e5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

End of file - 6541 bytes
Active Member
Posts: 12
Joined: August 5th, 2009, 1:00 am
Register to Remove

Re: brwser redirct, wireless router vulnerability?

Unread postby MWR 3 day Mod » August 11th, 2009, 1:00 am


We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: brwser redirct, wireless router vulnerability?

Unread postby Odd dude » August 13th, 2009, 4:39 am

Looking over your log... back in a minute. :)
User avatar
Odd dude
Retired Graduate
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: brwser redirct, wireless router vulnerability?

Unread postby Odd dude » August 13th, 2009, 4:46 am

Hello, welcome to the forums, and I'm very sorry for the delay in getting to you.

I'm Odd dude, pleased to meet you; if it helps, you can call me OD ;). I will be helping you to get rid of whatever you have on your computer (don't worry, just the malware stuff :D). However, it is important to take note of the following:

  • Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please try to reply within three days - failure to do so might result in this thread being archived before we have finished cleaning you up. :o
    If you need more time than that, all you need to do is tell me. ;)
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!
  • Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

You have TeaTimer running
This is good as TeaTimer protects you from many malicious changes to your registry. However, TeaTimer is a computer program, which has no way of distinguishing between good or malicious intentions; this means it might hinder the modifications I need to make to your system.

This means that TeaTimer will need to be disabled until you have been cleaned of malware.

  • Right-click on the Tea Timer icon in your system tray. It looks like this: Image
  • If you have the new version 1.5: click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked. The Spybot icon in the System tray should now be now colourless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

This is not enough, there is a second step attached:

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go to the bottom of the vertical panel on the left and click Tools
  • Now, also in left panel, click Resident - the pictogram shows a red/white shield.
  • In the Resident protection status frame, uncheck the box labelled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File > Exit to close Spybot
  • Reboot your machine for the changes to take effect.

When I give you the all-clear post, remember to reenable it!

Fix line in Hijackthis
  • Start HijackThis
  • Click Do a system scan only
  • Put a check next to the following item
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  • Make sure that all other open windows are closed!
  • Press Fix checked.

DDS (Doesn't Do Squat)
Download DDS by sUBs to your desktop.
Your antivirus software might question the file. If it does, turn it off please :)
  • Double click DDS.scr to run it and wait for the scan to finish
  • When finished DDS.txt will open
  • A small while later, a prompt will open. Answer Yes
  • DDS will continue scanning
  • When done, Attach.txt will open
  • Post DDS.txt and attach Attach.txt

Lastly, to answer your question about the wireless router. You are currently not running firewall software which puts you at a greater risk than necessary. Unfortunately, firewall software usually does not play nicely with the software we use to clean your computer of malware. Therefore, we will install a firewall once you are clean. As for now, you are protected by the Windows firewall, which is not really great but adequate for the moment.
Short answer: yes, you are at a small risk. That small risk will be reduced even further when we install a firewall when all malware is gone. But there will always be a small risk - if you want no risk, then your only option is to not use the internet - which I'm sure is not an option. You have got nothing to worry about :)
User avatar
Odd dude
Retired Graduate
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: brwser redirct, wireless router vulnerability?

Unread postby Brey » August 13th, 2009, 7:33 pm

Hi OD,

Thanks for the help.

I have completed the first step. Just a note, I had to exit my antivirus prgm to run the dds. After it was complete I restarted it.


DDS (Ver_09-07-30.01) - NTFSx86
Run by BriBri at 16:20:54.16 on Thu 08/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.2029 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\BriBri\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\bribri\startm~1\programs\startup\watcht~1.lnk - c:\program files\watchtower\watchtower library 2008\e\WTLibrary.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/sh ... tor/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://crucial.com/controls/cpcScanner.cab
DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} - hxxps://secure.shared.live.com/Pa6vGqB7 ... Upload.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bribri\applic~1\mozilla\firefox\profiles\93sdrrs5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\bribri\local settings\application data\google\update\\npGoogleOneClick5.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - user.js: general.useragent.extra.zencast - c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
c:\program files\mozilla firefox\defaults\pref\WildBlue.js - pref("network.proxy.type", 2);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-15 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-23 26184]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-15 282904]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 gupdate1c990a6341392e5;Google Update Service (gupdate1c990a6341392e5);c:\program files\google\update\GoogleUpdate.exe [2009-2-16 133104]

=============== Created Last 30 ================

2009-08-12 18:03 0 a------- C:\LOG3E.tmp
2009-08-12 17:03 0 a------- C:\LOG26.tmp
2009-08-05 15:50 <DIR> --d----- C:\Fonts Unloaded
2009-08-04 22:39 <DIR> --d----- c:\program files\Trend Micro
2009-08-04 22:27 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-02 18:21 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-02 18:21 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-02 18:21 <DIR> --d----- c:\program files\iPod
2009-08-02 18:21 <DIR> --d----- c:\program files\iTunes
2009-08-02 18:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-02 18:20 <DIR> --d----- c:\program files\Bonjour
2009-08-02 18:19 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-08-02 18:19 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-27 14:28 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-07-27 14:26 <DIR> --d--r-- c:\program files\Skype

==================== Find3M ====================

2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-20 15:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:24 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 16:21:19.18 ===============
You do not have the required permissions to view the files attached to this post.
Active Member
Posts: 12
Joined: August 5th, 2009, 1:00 am

Re: brwser redirct, wireless router vulnerability?

Unread postby Odd dude » August 14th, 2009, 4:32 am

Hi Brey :)

Thanks for the help.
You're welcome, only glad to help.
I have completed the first step. Just a note, I had to exit my antivirus prgm to run the dds. After it was complete I restarted it.
Great, that's exactly what you should have done :thumbleft:

I have two theories about what may be wrong with your computer... let's check for both.

Download GooredFix and save it to your desktop.
  • Double click the tool to run it.
  • Answer Yes when prompted whether to scan or not.
  • A log will open, copy and paste its contents in your next reply. The log is also copied onto your desktop, with a name of Goored.txt

Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

  • Right click the file you just downloaded and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.
User avatar
Odd dude
Retired Graduate
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: brwser redirct, wireless router vulnerability?

Unread postby Brey » August 14th, 2009, 6:47 pm


Here are the results.


GooredFix by jpshortstuff (12.07.09)
Log created at 14:38 on 14/08/2009 (BriBri)
Firefox version 3.5 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:37 30/07/2007]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [22:52 20/06/2009]

"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [17:06 15/05/2008]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:52 20/06/2009]


GMER [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-14 15:37:05
Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EB1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EB8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90ECB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 15, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2836] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----
Active Member
Posts: 12
Joined: August 5th, 2009, 1:00 am

Re: brwser redirct, wireless router vulnerability?

Unread postby Odd dude » August 15th, 2009, 4:28 am

Hi Brey :)

Both tests came back negative. That is good news, but it also means I don't yet know what's wrong.

I have another theory but the scan for it is a bit invasive, so I'll first consult with some of 'the guys' (my colleagues).
User avatar
Odd dude
Retired Graduate
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: brwser redirct, wireless router vulnerability?

Unread postby Odd dude » August 15th, 2009, 8:13 am

Hi :)

While I'm waiting for more input, it was suggested that we run one more scan which usually picks up a lot of unwanted junk (unwanted as in we don't want it to be on your computer, not as in we don't want the scanner to pick it up :D).

Please download Malwarebytes' Anti-Malware.

  • Install the program by following the prompts after double-clicking on mbam-setup.exe
  • Once you approach the final installation screen, put a check next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish
  • MBAM (that's an acronym of Malwarebytes' Anti-Malware) will now start. Choose Perform full scan and click Scan
  • Get a cup of coffee/tea/hot chocolate and watch some TV for about an hour.
  • Once the scan has finished, click OK, then Show Results.
  • Put a check next to everything, then click Remove selected.
  • Now, a log will open. Save this to your desktop and post it.
User avatar
Odd dude
Retired Graduate
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: brwser redirct, wireless router vulnerability?

Unread postby Brey » August 15th, 2009, 3:10 pm


Here are the results of the MBAN scan.


Malwarebytes' Anti-Malware 1.40
Database version: 2630
Windows 5.1.2600 Service Pack 2

8/15/2009 12:04:59 PM
mbam-log-2009-08-15 (12-04-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 165490
Time elapsed: 54 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Active Member
Posts: 12
Joined: August 5th, 2009, 1:00 am

Re: brwser redirct, wireless router vulnerability?

Unread postby Odd dude » August 15th, 2009, 4:41 pm

Hi Brey :)

That scan came back negative, but I now have some new ideas.

First of all, do you connect to the internet through a wireless router?

Kaspersky Online Scan
I would like you to run an online antivirus scan. Please click here to be taken to the Kaspersky site.

  • The site will present you with a list of important items. Read those. If you're unsure about something, stop and ask! If you're sure everything is all right, close all other windows.
  • Now, click Accept.
  • It will start a download rougly 10 MB in size. If prompted by your firewall to allow internet access, allow.
  • Once the download has finished, click Next.
  • Under Please select a target to scan, choose My Computer
  • Get a cup of coffee and watch some TV. Do not run any other programs while Kaspersky is scanning! If you're on dial-up, you can now terminate the internet connection if you wish.
  • Once finished, you will be presented with the results. Click Save as text and save the log to your desktop.

Post the results in your next reply.

If you couldn't run the scan (the applet is having some difficulties for some) please use these instructions instead. No need to perform them if you could run Kaspersky just fine.

ESET NOD32 Online Scan
Note: Please use Internet Explorer
Please go to ESET Online Scanner to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Press the "ESET Online Scanner" button.
  1. Check the box next to "YES, I accept the Terms of Use."... then click "Start".
  2. Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  3. Click "Start". Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are, if not set , place a check for:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  4. Click "Start"... ESET scanner will begin to download the virus signatures database. (This takes a while)
    When the signatures have been downloaded, the scan will start automatically.
  5. Wait for the scan to finish... it will take a while... please be patient. When the scan is finished...
  6. Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
  7. Copy and paste the contents of log.txt in your next reply.
User avatar
Odd dude
Retired Graduate
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: brwser redirct, wireless router vulnerability?

Unread postby Brey » August 15th, 2009, 6:36 pm


My network connection works this way:

Satellite dish to modem, modem to wireless router, wireless router to desktop via ethernet cable and wireless router to Wii, Ipod, laptop etc... via wifi. But the desktop is not receiving wifi.

I tried to use Kaspersky, but i do not have the appropriate browser for it. I am running the ESET scanner.

I have a side question: Could you recommend a good file converter? I want to take existing short movies I have taken and put them on my Ipod.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=18b089fb1c78134ea0831c6365dea6df
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-15 11:16:30
# local_time=2009-08-15 04:16:30 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1026 21 83 75 395070052656250
# scanned=70634
# found=1
# cleaned=0
# scan_time=2824
C:\Documents and Settings\BriBri\Local Settings\Application Data\Mozilla\Firefox\Profiles\93sdrrs5.default\Cache(3)\4AEBA324d01 JS/TrojanDownloader.Iframe.EY.gen trojan 00000000000000000000000000000000 I
Active Member
Posts: 12
Joined: August 5th, 2009, 1:00 am

Re: brwser redirct, wireless router vulnerability?

Unread postby Odd dude » August 16th, 2009, 6:12 am

Everything looks fine. Only one virus in your temp files to clean up:
Download ATF-Cleaner by Atribune to your desktop.
Start the program and place a check next to the following items:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Java Cache
  • Recycle Bin
Now click Empty Selected and click OK.

If you use FireFox, click the FireFox tab and place a check Select All. Click Empty Selected and answer No at the prompt.
If you use Opera, click the Opera tab and place a check Select All. Click Empty Selected and answer No at the prompt.

The only thing left that can cause your issues is a hijack of your router. You'll need to reset it - for instructions, please consult the manual that came with it. Afterwards, reboot your computer, then click Start>Run and copy and paste this:
Code: Select all
cmd /c for %t in (flush register) do ipconfig /%tdns

Then reboot your computer again.

Update outdated software
Your version of Adobe Reader is old and may contain security leaks. Please first uninstall the older version, then download and install the newest version from here.
Your version of Sun Java is outdated and may contain security leaks. First uninstall all versions of Java you have installed. Then download and install the latest version of Java from java.com.

Re. Abexo Free Registry Cleaner

I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools

They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though
Stopping services and setting policies can speed up your machine ..... as long as you stop and set the right ones, and even then it's debatable if you will notice the improvement.

Remove the wrong registry entry, or stop the wrong service, and not only can you slow your machine .... you could kill it !

To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing and what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.

discussion on regcleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/ ... ng_13.html

I have a side question: Could you recommend a good file converter? I want to take existing short movies I have taken and put them on my Ipod.
No idea whatsoever... only thing I can think of is Windows Movie Maker :lol:
User avatar
Odd dude
Retired Graduate
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: brwser redirct, wireless router vulnerability?

Unread postby Brey » August 16th, 2009, 8:03 pm


Thanks for the help. I reset the router and I will see if that helps. Thanks so much for the help. You guys do great work.

Active Member
Posts: 12
Joined: August 5th, 2009, 1:00 am

Re: brwser redirct, wireless router vulnerability?

Unread postby Odd dude » August 18th, 2009, 3:05 am

Great. :)
Let me know whether it helps.
User avatar
Odd dude
Retired Graduate
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)
Register to Remove


  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: random/random and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware